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Such documents may be handled by people (referred to as 
"users") and/or by computers operating on behalf of users. The 
documents may exist both in electronic form for storage and 
transmission and in paper form for manual handling. 

These docimxents may originate wholly within the 
organization, or may be created, in whole or in part, from 
information received from outside the organization. Authorized 
persons within the organization may choose to release 
documents, in whole or in part, to entities outside the 
organization. Some such entities may also employ VDE 100 for 
document control, whereas others may not. 

Document Control Policies 

The organization as a whole may have a well-defined poUcy 
for access control- to, and/or other usage control of documents. 
This policy may be based on a "lattice modeF of information flow, 
in which documents are characterized as having one or more 
hierarchical "classification" security attributes 9903 and zero or 
more non-hierarchical "compartment" security attributes, aU of 
which together comprise a sensitivity security attribute. 

The classification attributes may designate the overall 
level of sensitivity of the document as an element of an ordered 
set. For example, the set "unclassified " "confidential," "secret," 
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'ix)p secret" might be appropriate in a govermnent setting, and 
the set "public," "internal," "confidential," "registered 
confidential" might be appropriate in a corporate setting. 

The compartment attributes may designate the document's 
association with one or more specific activities within the 
organization, such as departmental subdivisions (e.g., "research," 
"development," "Marketing") or specific projects within the 
organization. 

Each person using an electronic appUance 600 would be 
assigned, by an authorized user, a set of permitted sensitivity 
attributes to designate those docimxents, or one or more portions 
of certain document types, which could be processed in certain 
one or more ways, by the person's electronic appliance. A 
document's sensitivity attribute would have to belong to the 
user's set of permitted sensitivity values to be accessible. 

In addition, the organization may desire to permit users to 
exercise control over specific documents for which the user has 
some defined responsibihty. As an example, a user (the 
"originating user") may wish to place an "originator controlled" 
("ORCON") restriction on a certain document, such that the 
document may be transmitted and used only by those specific 
other users whom he designates (and only in certain, esqpressly 
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authorized ways). Such a restriction may be flexible if the 
"distribution list" could be modified after the creation of the 
document, specifically in the event of someone requesting 
permission from the originating user to transmit the document 
outside the original list of authorized recipients. The originating 
user may wish to permit distribution only to specific users, 
defined groups of users, defined geographic areas, users 
authorized to act in specific organizational roles, or a combination 
of any or all such attributes. 

In this example, the organization may also desire to permit 
users to define a weaker distribution restriction such that access 
to a document is limited as above, but certain or all information 
within the document may be extracted and redistributed without 
further restriction by the recipients. 

The organization and/or originating users may wish to 
know to what uses or geographic locations a document has been 
distributed. The organization may wish to know where 
doctmients with certain protection attributes have been 
distributed, for example, based on geographic information stored 
in site configuration records and/or name services records. 

A user may wish to request a "return receipt" for a 
distributed document, or may wish to receive some indication of 
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how a document has been handled by its recipients (e.g., whether 
it has been viewed, printed, edited and/or stored), for example, by 
specifying one or more audit requirements (or methods known to 
have audit requirements) in a PERC associated with such 
document(s). 

User Environment 

In an organization (or associateion) such as that described 
above, users may utilize a variety of electronic appliances 600 for 
processing and managing documents. This may include personal 
computers, both networked and otherwise, powerful single-user 
workstations, and servers or mainframe computers. To provide 
support for the control information described in this example, 
eadi electronic appliance that participates in use and 
management of VDE-protected documents may be enhanced with 
a VDE secure subsystem supporting an SPE 503 and/or HPE 
655. 

In some orgaiuzations, where the threats to secure 
operation are relatively low, an HPE 655 may su£Eice. In other 
organizations (e.g., government defense), it may be necessary to 
employ an SPE 503 in all situations where VDE-protected 
documents are processed. The choice of enhancement 
environment and technology may be different in diSerent of the 
organization. Even if different types of PPE 650 are used within 



804 



wo 96/27155 



PCT/US96/02303 



an organization to serve different requirements, they may be 
compatible and may operate on the same types (or subsets of 
types) of documents. 

Users may employ application programs that are 
customized to operate in cooperation with the VDE for handling 
of VDE-protected documents. Examples of this may include 
VDE-aware document viewers, VDE aware electronic mail 
systems, and similar applications. Those programs may 
communicate with the PPE 650 component of a user's electronic 
appliance 600 to make VDE-protected documents available for 
use while limiting the extent to which their contents may be 
copied, stored, viewed, modified, and/or transmitted and/or 
otherwise farther distributed outside the specific electronic 
appliance. 

Users may wish to employ commercial, off-the-shelf 
("COTS'*) operating systems and application programs to process 
the VDE-protected documents. One approach to permit the use 
of COTS application programs and operating systems would be to 
allow such use only for documents without restrictions on 
redistribution. The standard VDE operating system redirector 
woiild aUow users to access VDE-protected documents in a 
manner equivalent to that for files. In such an approach, 
however, a chain of control for metering and/or auditing use may 
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be 'l:)roken'' to some extent at the point that the protected object 
was made available to the COTS appUcation. The fingerprinting 
(watermarking) techniques of VDE may be iised to facilitate 
further tracking of any released information. 

A variety of techniques may be used to protect printing of 
protected documents, such as, for example: server-based 
deciyption engines, special fonts for ^fingerprinting," etc. 

Another approach to supporting COTS software would use 
the VDE software running on the user's electronic apphance to 
create one or more "virtual machine'' environments in which 
COTS operating system and appUcation programs may run, but 
from which no information may be permanently stored or 
otherwise transmitted except under control of VDE. Such an 
environment would permit VDE to manage all VDE-protected 
information, yet may permit unlimited use of COTS applications 
to process that information within the confines of a restricted 
enviroimient. The entire contents of such an environment could 
be treated by VDE 100 as an extension to any VDE-protected 
documents read into the environment. Transmission of 
information out of the environment could be governed by the 
same rules as the original document(s). 
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'CoaxBe-Grain* Control Capabilities 

As mentioned above, an organization may employ 
VDE-enforced control capabilities to manage the security, 
distribution, integrity, and control of entire documents. Some 
examples of these capabilities may include: 

1) A communication channel connecting two or more 
electronic appUances 600 may be assigned a set of 
permitted sensitivity attributes. Only documents 
whose sensitivity attributes belong to this set would 
be permitted to be transmitted over the chaxmel. 
This could be used to support the Device Labels 
reqxurement of the Trusted Computer System 
Evaluation Criteria (TCSEC). 

2) A writable storage device (e.g., fixed disk, diskette, 
tape drive, optical disk) connected to or incorporated 
in an electronic appliance 600 may be assigned a set 
of permitted sensitivity attributes. Only documents 
whose sensitivity attributes belong to this set would 
be permitted to be stored on the device. This could 
be used to support the TCSEC Device Labels 
requirement. 
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A document may have a list of users associated with 
it representing the users who are permitted to 
"liandle" the document. This list of users may 
represent, for example, the only xisers who may view 
the document, even if other users receive the 
document container, they could not manipulate the 
contents. This could be used to support the standard 
ORCON handling caveat. 

A document may have an attribute designating its 
originator and requiring an expUcit permission to be 
granted by an originator before the document's 
content could be viewed. This request for permission 
may be made at the time the document is accessed 
by a user, or, for example, at the time one user 
distributes the docimient to another user. If 
permission is not granted, the document could not be 
manipulated or otherwise used. 

A docmnent may have an attribute requiring that 
each use of the document be reported to the 
document's originator. This may be used by an 
originator to gauge the distribution of the document. 
Optionally, the report may be reqxiired to have been 
made successfully before any use of the doctunent is 
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permitted, to ensure that the use is known to the 
controlling party at the time of use. Alternatively, 
for example, the report could be made in a deferred 
("batch'') fashion. 

6) A document may have an attribute requiring that 
each use of the docxunent be reported to a central 
document tracking clearinghouse. This could be 
used by the organization to track specific documents, 
to identify documents used by any particular user 
and/or group of users to track documents with 
specific attributes (e.g., sensitivity), etc. Optionally, 
for example, the report may be required to have been 
made successfully before any use of the document is 
permitted. 

7) A VDE protected dociunent may have an attribute 
requiring that each use of the document generate a 
"return receipt," to an originator. A person using the 
document may be required to answer specific 
questions in order to generate a return receipt, for 
example by indicating why the document is of 
interest, or by indicating some knowledge of the 
document's contents (after reading it). This may be 
used as assurance that the document had been 
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handled by a person, not by any automated software 
mechanism. 

8) A VDE protected document's content may be made 
available to a VDE-unaware application program in 
such a way that it is imiquely identifiable (traceable) 
to a user who caused its release. Thus, if the 
released form of the document is further distributed, 
its origin could be determined. This may be done by 
employing VDE "fingerprinting^ for content release. 
Similarly, a printed VDE protected document may 
be marked in a similar, VDE fingerprinted vmique 
way such that the person who originally printed the 
document could be determined, even if copies have 
since been made. 

9) Usage of VDE protected documents could be 
permitted under control of budgets that limit (based 
on size, time of access, etc.) access or other usage of 
document content. This may help prevent wholesale 
disclosure by limiting the nimiber of VDE documents 
accessible to an individual during a fixed time 
period. For example, one such control might permit 
a user, for some particular class of documents, to 
view at most 100 pages/day, but only print 10 
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pages/day and permit printing only on weekdays 
between nine and five. As a further example, a user 
might be restricted to only a certain quantity of 
logically related, relatively "contiguous" and/or some 
other pattern (such as limitin g the use of a 
database's records based upon the quantity of 
records that share a certain identifier in field) of 
VDE protected document usage to identify, for 
example, the occurrence of one or more types of 
excessive database usage (under normal or any 
reasonable circumstances). As a result, VDE content 
providers can restrict usage of VDE content to 
acceptable usage characteristics and thwart and/or 
identify (for example, by generating an exception 
report for a VDE admimstrator or organization 
supervisor) user attempts to inappropriately use, for 
example, such an information database resource. 

These control capabilities show some examples of how VDE 
can be used to provide a flexible, interactive environment for 
tracking and managing sensitive documents. Such an 
environment could directly trace the flow of a document from 
person to person, by physical locations, by organizations, etc. It 
would also permit specific questions to be answered such as 
"what persons outside the R&D department have received any 
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R&D-controUed document." Because the control information is 
carried with each copy of a VDE protected docimient, and can 
ensure that central registries are updated and/or that originators 
are notified of document use, tracking can he prompt and 
accurate. 

This contrasts with traditional means of tracking paper 
documents: typically, a paper-oriented system of manually 
collected and handled receipts is used. Documents may be 
individually copy-numbered and signed for, but once distributed 
are not actively controlled. In a traditional paper-oriented 
system, it is virtually impossible to determine the real locations 
of docimients; what control can be asserted is possible only if all 
parties strictly follow the handling rules (which are at best 
inconvenient). 

The situation is no better for processing documents within 
the context of ordinary computer and network systems. Although 
said systems can enforce access control information based on user 
identity, and can provide auditing mechanisms for tracking 
accesses to files, these are low-level mechanisms that do not 
permit tracking or controlling the flow of content. In sudi 
systems, because document content can be freely copied and 
manipulated, it is not possible to determine where document 
content has gone, or where it came from. In addition, because the 
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control mechanisms in ordinary computer operating systems 
operate at a low level of abstraction, the entities they control are 
not necessarily the same as those that are manipulated by users. 
This particularly causes audit trails to be cluttered with 
voluminous information describing vminteresting activities. 

Fine-Orain* Control Capabilities 

In addition to controlling and managing entire documents, 
users may employ customized VDE-aware application software to 
control and manage individual modifications to docimxents. 
Examples of these capabilities include the following: 

1) A VDE content user may be permitted to append 
fiirther information to a VDE document to indicate a 
proposed alternative wording. This proposed 
alteration would be visible to all other users (in 
addition to the original text) of the docvunent but 
would (for example) be able to be incorporated into 
the actual text only by the document's owner. 

2) A group of VDE users could be permitted to modify 
one or more parts of a doctiment in such a way that 
each individual alteration would be unambiguously 
traceable to the specific user who performed it. The 
rights to modify certain portions of a document, and 
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the extension of dififering sets of rights to dififerent 
users, allows an organization or seoire environment 
to provide difTenng permissions enabling different 
rights to users of the same content. 

3) A group of users could create a VDE document 
incrementally, by building it from individual 
contributions. These contributions would be boimd 
together within a- single controlled document, but 
each would be individually identified, for example, 
through their incorporation in VDE content 
containers as embedded container objects. 

4) VDE control and management capabilities cotild be 
used to track activities related to individual docu- 
ment areas, for instance recording how many times 
each section of a document was viewed. 

Example - VDE Protected Content Repository 

As the "Digital Highway" emerges, there is iacreased 
disoission concerning the distribution of content across networks 
and, in particular, public networks such as the Internet. Content 
may be made available across pubhc networks in several ways 
including: 
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• "mailing^ content to a user in response to a request 
or advance purchase (sending a token representing 
the commitment of electronic funds or credit to 
purchase an item); 

• supporting content downloadable from an 
organization's own content repository, such a 
repository comprising, for example, a store of 
products (such as software programs) and/or a store 
of information resources, normally organized into 
one or more databases; and 

• supporting a public repository into which other 
parties can deposit their products for redistribution 
to customers (normally by making electronic copies 
for distribution to a customer in response to a 
request). 

One possible arrangement of VDE nodes involves use of 
one or more "repositories." A repository, for example, may serve 
as a location from which VDE participants may retrieve VDE 
content containers. In this case, VDE users may make use of a 
network to gain access to a "server" system that allows one or 
more VDE users to access an object repository containing VDE 
content containers. 
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Some VDE participaiits may create or provide content 
and/or VDE content container objects, and then store content 
and/or content objects at a repository so that other participants 
may access such content from a known and/or efficiently 
organized (for retrieval) location. For example, a VDE repository 
(portion of a VDE repository, multiple VDE repositories, and/or 
providers of content to such repositories) may advertise the 
availability of certain types of VDE protected content by sending 
out email to a list of network users. If the network users have 
secure VDE subsystems in their electronic appliances, they may 
then choose to access such a repository directly, or through one or 
more smart agents and, usiag an application program for 
example, browse (and/or electronically search) through the 
offerings of VDE managed content available at the repository, 
download desirable VDE content containers, and make use of 
such containers. If the repository is successful in attracting users 
who have an interest in such content, VDE content providers 
may determine that such a repository is a desirable location(s) to 
make their content available for easy access by users. If a 
repositorjs such as CompuServe, stores content in non-encrypted 
(plaintext) form, it may encrypt "outgoing" content on an "as 
needed" basis through placing such content in VDE content 
containers with desired control information, and may employ 
VDE secure communications techniques for content 
commimication to VDE participants. 
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VDE repositories may also offer other VDE services. For 
example, a repository may choose to offer imaiicial services in the 
fonn of credit from the repository that may be used to pay fees 
associated with use of VDE objects obtained from the repository. 
Alternatively or in addition, a VDE repository may perform audit 
information clearinghouse services on behalf of VDE creators or 
other participants (e.g. distributors, redistributors, cUent 
administrators, etc.) for usage information reported by VDE 
users. Such services may include analyzing such usage 
information, creating reports, collecting payments, etc. 

A "full service" VDE repository may be very attractive to 
both providers and users of VDE managed content. Providers of 
VDE managed content may desire to place their content in a 
location that is well known to users, offers credit, and/or performs 
audit services for them. In this case, providers may be able to 
focus on creating content, rather than managing the 
administrative processes associated with making content 
available in a "retail" fashion, collecting audit iDformation fi^m 
many VDE users, sending and receiving bills and payments, etc. 
VDE users may find the convenience of a single location (or an 
integrated arrangement of repositories) appealing as they are 
attempting to locate content of interest. In addition, a ftiU service 
VDE repository may serve as a siagle location for the reporting of 
usage information generated as a consequence of their use of 
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VDE managed content received from a VDE repository and/or, for 
example, receiving updated software (e.g. VDE-aware 
applications, load modules, component assemblies, non 
VDE-aware applications, etc.) VDE repository services may be 
employed in conjunction with VDE content delivery by broadcast 
and/or on physical media, such as CD-ROM, to constitute an 
integrated array of content resources that may be browsed, 
searched, and/or filtered, as appropriate, to fulfill the content 
needs of VDE users. 

A public repository system may be established and 
maintained as a non-profit or for-profit service. An organization 
oflFering the service may charge a service fee, for example, on a 
per transaction basis and/or as a percentage of the payments by, 
and/or cost of, the content to users. A repository service may 
supply VDE authoring tools to content creators, publishers, 
distributors, and/or value adding providers such that they may 
apply rules and controls that define some or all of the guidelines 
managing use of their content and so that they may place such 
content into VDE content container objects. 

A repository' may be maintained at one location or may be 
distributed across a variety of electronic appliances, such as a 
variety of servers (e.g. video servers, etc.) which may be at 
different locations but nonetheless constitute a single resoxirce. A 
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VDE repository arrangement may employ VDE secure 
commxmications and VDE node secure subsystems ("protected 
processing environments''). The content comprising a given 
collection or unit of information desired by a user may be spread 
across a variety of physical locations. For example, content 
representing a company's closing stock price and the activity 
(bids, lows, highs, etc.) for the stock might be located at a World 
Wide Web server in New York, and content representing an 
analysis of the company (such as a discussions of the company's 
history, personnel, products, markets, and/or competitors) might 
be located on a server in Dallas. The content might be stored 
using VDE mechanisms to secure and audit use. The content 
might be maintained in clear form if sufficient other forms of 
security are available at such one or more of sites (e.g. physical 
security, password, protected operating system, data encryption, 
or other techniques adequate for a certain content type). In the 
latter instances, content may be at least in part encrypted and 
placed in VDE containers as it streams out of a repository so as to 
enable secure communication and subsequent VDE usage control 
and usage consequence management. 

A user might request information related to such a 
company including stock and other information. This request 
might, for example, be routed first through a directory or a more 
sophisticated database arrangement located in Boston. This 
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arrangement might contain pointers to, and retrieve content 
from, both the New York and Dallas repositories. This 
information content may, for example, be routed directly to the 
user in two containers (e.g. such as a VDE content container 
object from Dallas and a VDE content container object from New 
York). These two containers may form two VDE objects within a 
single VDE container (which may contain two content objects 
containing the respective pieces of content from Dallas and New 
York) when processed by the user's electronic appliance. 
Alternatively, such objects might be integrated together to form a 
single VDE container in Boston so that the information can be 
delivered to the user within a single container to simplify 
registration and control at the user's site. The information 
content from both locations may be stored as separate 
information objects or they may be joined into a single, integrated 
information object (certain fields and/or categories in an 
information form or template may be fiUed in by one resource and 
other fields and/or categories may be filled by information 
provided by a different resource). A distributed database may 
manage such a distributed repository resource environment and 
use VDE to secure the storing, communicating, auditing, and/or 
use of information through VDE's electronic enforcement of VDE 
controls. VDE may then be used to provide both consistent 
content containers and content control services. 



820 



wo 96/27155 



PCrAJS96/02303 



An example of one possible repository arrangement 3300 is 
shown in Figure 78. In this example, a repository 3302 is 
connected to a network 3304 that allows authors 3306A, 3306B, 
3306C, and 3306D; a publisher 3308; and one or more end users 
3310 to commvmicate with the repository 3302 and with each 
other. A second network 3312 allows the publisher 3308, authors 
3306E and 3306F, an editor 3314, and a librarian 3316 to 
communicate with each other and with a local repository 3318. 
The publisher 3308 is also directly connected to author 3306E. In 
this example, the authors 3306 and publisher 3308 connect to the 
repository 3302 in order to place their content into an 
environment in which end users 3310 wiU be able to gain access 
to a broad selection of content firom a common location. 

In this example, the repository has two major functional 
areas: a content system 3302A and a clearinghouse system 
3302B. The content system 3302A is comprised of a user/author 
registration system 3320, a content catalog 3322, a search 
mechanism 3324, content storage 3326, content references 3328, 
and a shipping system 3330 comprised of a controls packager 
3322, a container packager 3334, and a transaction system 3336. 
The clearinghouse system 3302B is comprised of a user/author 
registration system 3338; template libraries 3340; a control 
structvire hbraiy 3342; a disbursement system 3344; an 
authorization system 3346 comprised of a financial system 3348 
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and a coBtent system 3350; a billing system 3352 comprised of a 
paper system 3354, a credit card system 3356, and an electronic 
funds transfer (EFT) system 3358; and an audit system 3360 
comprised of a receipt system 3362, a response system 3364, a 
transaction system 3366, and an analysis system 3368. 

In this example, author 3306A creates content in electronic 
form that she intends to make broadly available to many end 
users 3310, and to protect her rights through use of VDE. Author 
3306A transmits a message to the repository 3302 indicating her 
desire to register with the repository to distribute her content. In 
response to this message, the user/author registration system 
3320 of the content system 3302A, and the user/author 
registration system 3338 of the clearinghouse system 3302B 
transmit requests for registration information to author 3306A 
using the network 3304. These requests may be made in an 
on-line interactive mode; or they may be transmitted in a batch to 
author 3306A who then completes the requested information and 
transmits it as a batch to the repository 3302; or some aspects 
may be handled on-line (such as basic identifying information) 
and other information may be exchanged in a batch mode. 

Registration information related to the content system 
3302A may, for example, include: 
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a request that Author 3306A provide information 
concerning the types and/or categories of content 
proposed for storage and access using liie repository, 

the form of abstract and/or other identifying 
information required by the repository — ^in addition 
to providing author 3306A with an opportunity to 
indicate whether or not author 3306A generally 
includes other information with content submissions 
(such as promotional materials, detailed information 
regarding the format of submitted content, any 
eqtiipment requirements that should or must be met 
for potential users of submitted content to 
successfully exploit its value, etc.), 

requests for information from author 3306A 
concerning where the content is to be located (stored 
at the repository, stored at author 3306A's location, 
stored elsewhere, or some combination of locations), 

what general search characteristics should be 
associated with content submissions (e.g. whether 
abstracts should be automatically indexed for 
searches by users of the repository, the manner in 
which content titles, abstracts, promotional 
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materials, relevant dates, names of performers 
and/or authors, or other information related to 
content submissions may or should be used in lists of 
tjrpes of content and/or in response to searches, etc.), 
and/or 

• how content that is stored at and/or passed through 
the repository should be shipped (including any 
container criteria, encryption requirements, 
transaction requirements related to content 
transmissions, other control criteria, etc.) 

The information requested from author 3306A by the 
user/author registration system of the cleariaghouse may, for 
example, consist of: 

• VDE templates that author 3306A may or must 
make use of in order to correctly format control 
information such that, for example, the audit system 
3360 of the clearinghouse system 3302B is properly 
authorized to receive and/or process usage 
information related to content submitted by author 
3306A, 

• VDE control information available from the 
clearinghouse 3302B that may or must be used by 
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author 3306A (and/or included by reference) in some 
or all of the VDE component assembUes created 
and/or used by author 3306A associated with 
submitted content, 

the manner in which disbursement of any funds 
associated with usage of content provided by, passed 
through, or collected by the repository clearinghouse 
system 3302B should be made, 

the form and/or criteria of authorizations to use 
submitted content and/or financial transactions 
associated with content, 

the acceptable forms of billing for use of content 
and/or information associated with content (such as 
analysis reports ttiat may be used by others), 

how VDE generated audit information should be 
received, 

how responses to requests from users should be 
managed, 
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• how transactions associated with the receipt of audit 
information should be formatted and authorized, 

• how and what forms of analysis should be performed 
on usage information, and/or 

• under what circumstances (if any) usage information 
and/or analysis results derived from VDE controlled 
content usage information should be managed 
(including to whom they may or must be deUvered, 
the form of delivery, any control information that 
may be associated with use of such information, etc.) 

The repository 3302 receives the completed registration 
information from author 3306A and uses this information to 
build an account profile for author 3306A. In addition, software 
associated with the authoring process may be transmitted to 
author 3306A. This software may, for example, allow author 
3306A to place content into a VDE content container with 
appropriate controls in such a way that many of the decisions 
6issociated with creating such containers are made automatically 
to reflect the use of the repository 3302 as a content system 
and/or a clearinghouse system (for example, the location of 
content, the party to contact for updates to content and/or 
controls associated with content, the party or parties to whom 
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audit infonnatioii may and/or must be transmitted and the 
pathways for such communication, the character of audit 
information that is collected during usage> the forms of payment 
that are acceptable for use of content, the frequency of audit 
transmissions required, the frequency of billing, the form of 
abstract and/or other identifying information associated with 
content, the nature of at least a portion of content usage control 
information, etc.) 

Author 3306A makes use of a VDE authoring appUcatibn 
to specify the controls and the content that she desires to place 
within a VDE content container, and produces such a container 
in accordance with any requirements of the repository 3302. 
Such a VDE authoring apphcation may be, for example, an 
appUcation provided by the repository 3302 which can help 
ensure adherence to repository content control requirements such 
as the Inclusion of one or more types of component assembhes or 
other VDE control structures and/or required parameter data, an 
appUcation received from another party, and/or an apphcation 
created by author 3306A in whole or in part. Author 3306A then 
uses the network 3304 to transmit the container and any 
deviations from author 3306A's account profile that may relate to 
such content to the repository 3302. The repository 3302 receives 
the submitted content, and then — in accordance with any 
account profile requirements, deviations and/or desired options in 
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this example — ^makes a determination as to whether the content 
was produced within the boundaries of any content and/or control 
information requirements of the repository and therefore should 
be placed within content storage or referenced by a location 
pointer or the like. In addition to placing the submitted content 
into content storage or referencing such content's location, the 
repository 3302 may also make note of characteristics associated 
with such submitted content in the search mechanism 3324, 
content references 3328, the shipping system 3330, and/or the 
relevant systems of the clearinghouse system 3302B related to 
templates and control structures, authorizations, billing and/or 
payments, disbursements, and/or audits of usage information. 

Dxuing an authoring process, author 3306A may make use 
of VDE templates. Such templates may be used as an aspect of a 
VDE authoring application. For example, such templates may be 
used in the construction of a container as described above. 
Alternatively or in addition, such templates may also be used 
when submitted content is received by the repository 3302. 
References to such templates may be incorporated by author 
3306A as an aspect of constructing a container for submitted 
content fin this sense the container deUvered to the repository 
may be in some respects "incomplete" until the repository 
"completes" the container through use of indicated templates). 
Such references may be required for use by the repository 3302 
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(for example, to place VDE control information in place to fulfill 
an aspect of the repositoiys business or security models such as 
one or more map tables corresponding to elements of content 
necessary for interacting with other VDE control structures to 
accommodate certain metering, billing, budgeting, and/or other 
usage and/or distribution related controls of the repository). 

For example, if content submitted by author 3306A 
consists of a periodical publication, a template delivered to the 
author by the repository 3302 when the author registers at the 
repository may be tised as an aspect of an authoring appUcation 
manipulated by the author in creating a VDE content container 
for such a periodical. Alternatively or in addition, a template 
designed for use with periodical publications may be resident at 
the repository 3302, and such a template may be used by the 
repository to define, in whole or in part, control structures 
associated with such a container. For example, a VDE template 
designed to assist in formulating control structures for periodical 
publications might indicate (among other things) that: 

• usage controls should include a meter method that 
records each aiticle within a publication that a user 
opens, 
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• a certaia flat rate fee should apply to opening the 
periodical regardless of the number of articles 
opened, and/or 

• a record shoidd be maintained of every 
advertisement that is viewed by a user. 

If content is maintained in a known and/or identifiable format, 
such a template may be used during initial construction of a 
container without author 3306A's intervention to identify any 
map tables that may be required to support such recording and 
billing actions. If such a VDE template is imavailable to author 
3306A, she may choose to indicate that the container submitted 
shoxild be reconstructed (e.g. augmented) by the repository to 
include the VDE control information specified in a certain 
template or class of templates. If the format of the content is 
known and/or identifiable by the repository, the repository may 
be able to reconstruct (or "complete") such a container 
automatically. 

One factor in a potentially ongoing financial relationship 
between the repository and author 3306A may relate to usage of 
submitted content by end users 3310. For example, author 
3306A may negotiate an arrangement with the repository 
wherein the repository is authorized to keep 20% of the total 
revenues generated fi^om end users 3310 in exchange for 
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maintamiBg the repository services (e.g. making content 
available to end users 3310, providing electronic credit, 
performing billing activities, collecting fees, etc.) A financial 
relationship may be recorded in control structures in flexible and 
configurable ways. For example, the fijiancial relationship 
described above could be created in a VDE container and/or 
installation control structure devised by author 3306A to reflect 
author 3306A's financial requirements and the need for a 20% 
spHt in revenue with the repository wherein all billing activities 
related to usage of submitted content coidd be processed by the 
repository, and control structures representing reciprocal 
methods associated with various component assembhes required 
for use of author 3306A's submitted content could be used to 
calculate the 20% of revenues. Alternatively, the repository may 
independently and securely add and/or modify control structures 
originating firom author 3306A in order to reflect an increase in 
price. Under some circumstances, author 3306A may not be 
directly involved (or have any knowledge of) the actual price that 
the repository charges for usage activities, and may concern 
herself only with the amount of revenue and character of usage 
analysis information that she requires for her own purposes, 
which she specifies in VDE control information which governs the 
use, and consequences of use, of VDE controlled content. 
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Another aspect of the relationship between authors and 
the repository may involve the character of transaction recording 
requirements associated with dehvery of VDE controlled content 
and receipt of VDE controlled content usage audit information. 
For example, author 3306A may require that the repository make 
a record of each tiser that receives a copy of content from the 
repository. Author 3306A may farther require collection of 
information regarding the circumstances of deUvery of content to 
such users (e.g. time, date, etc.) In addition, the repository may 
elect to perform such transactions for use internally (e.g. to 
determine .pattems of usage to optimize systems, detect fraud, 
etc.) 

In addition to recording information regarding dehvery of 
such VDE controlled content, author 3306A may have required or 
requested the repository to perform certain VDE container 
related processes. For example, author 3306A may want 
differing abstract and/or other descriptive information dehvered 
to different classes of users. In addition, author 3306A may wish 
to dehver promotional materials in the same container as 
submitted content depending on, for example, the character of 
usage exhibited by a particular user (e.g. whether the user has 
ever received content from author 3306A, whether the user is a 
regular subscriber to author 3306A's materials, and/or other 
patterns that may be relevant to author 3306A and/or the end 
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user that are used to help detenniiLe the mix of promotional 
materials delivered to a certain VDE content end user.) In 
another example, author 3306A may require that VDE 
fingerprinting be performed on such content prior to 
transmission of content to an end user. 

In addition to the form and/or character of content shipped 
to an end user, authors may also require certain encrsTption 
related processes to be performed by the repository as an aspect 
of delivering content. For example, author 3306A may have 
required that the repository encrypt each copy of shipped content 
using a different encryption key or keys in order to help maintain 
greater protection for content (e.g. in case an encryption key was 
"cracked" or inadvertently disclosed, the "damage" could be 
Umited to the portion(s) of that specific copy of a certain content 
dehverable). In another example, encryption functions may 
include the need to use entirely difierent encryption algorithms 
and/or techniques in order to fulfill circumstantial requirements 
(e.g. to comply with export restrictions). In a further example, 
encryption related processes may include changing the 
encryption techniques and/or algorithms based on the level of 
trustedness and/or tamper resistance of the VDE site to which 
content is delivered. 
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In addition to transaction information gathered when 
content is shipped from a VDE repository to an end user, the 
repository may be required to keep transaction information 
related to the receipt of usage information, requests, and/or 
responses to and/or from end users 3310. For example, author 
3306A may require the repository to keep a log of some or all 
connections made by end users 3310 related to transmissions and 
or reception of information related to the use of author 3306A's 
content (e.g. end user reporting of audit information, end user 
requests for additional permissions information, etc.) 

Some VDE managed content provided to end users 3310 
through the repository may be stored in content storage. Other 
information may be stored elsewhere, and be referenced through 
the content references. In the case where content references are 
used, the repository may manage the user interactions in such a 
manner that all repository content, whether stored in content 
storage or elsewhere (such as at another site), is presented for 
selection by end users 3310 in a tmiform way, such as, for 
example, a consistent or the same user interface. If an end user 
requests dehvery of content that is not stored in content storage, 
the VDE repository may locate the actual storage site for the 
content using information stored in content references (e.g. the 
network address where the content may be located, a URL, a 
filesystem reference, etc.) After the content is located, the 
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content may be transmitted across the network to the repository 
or it may be delivered directly from where it is stored to the 
requesting end user. In some drcinnstances (e.g. when container 
modification is required, when encryption must be changed, if 
financial transactions are required prior to release, etc.), further 
processing may be required by the repository in order to prepare 
such VDE managed content and/or VDE content container for 
transmission to an end user. 

In order to provide a manageable user interface to the 
content available to VDE repository end users 3310 and to 
provide administrative information used in the determination of 
control information packaged in VDE content containers shipped 
to end users 3310, the repository in this example includes a 
content catalog 3322. This catalog is used to record information 
related to the VDE content in content storage, and/or content 
available through the repository reflected in content references. 
The content catalog 3322 may consist of titles of content, 
abstracts, and other identifying information. In addition, the 
catalog may also indicate the forms of electronic agreement 
and/or agreement VDE template applications (offering optional, 
selectable control structures and/or one or more opportunities to 
provide related parameter data) that are available to end users 
3310 through the repository for given pieces of content in 
deciding, for example, options and/or requirements for: what 
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type(s) of information is recorded during such content's use, the 
charge for certain content usage activities, differences in charges 
based on whether or not certain usage information is recorded 
and/or made available to the repository and/or content provider, 
the redistribution rights associated with such content, the 
reporting frequency for audit transmissions, the forms of credit 
and/or currency that may be used to pay certain fees associated 
with use of such content, discoimts related to certain voliunes of 
usage, discounts available due to the presence of rights 
associated with other content from the same and/or different 
content providers, sales, etc. Furthermore, a VDE repository 
content catalog 3322 may indicate some or all of the component 
assemblies that are reqxiired in order to make use of content such 
that the end user's system and the repository can exchange 
messages to Help ensure that any necessary VDE component 
assemblies or other VDE control information is identified, and if 
necessary and authorized, are delivered along with such content 
to the end user (rather than, for example, being requested later 
after their absence has been detected during a registration and/or 
use attempt). 

In order to make use of the VDE repository in this 
example, an end user must register with the repository. In a 
manner similar to that indicated above ia the case of an author, a 
VDE end user transmits a message from her VDE installation to 
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the repository across the network indicatiBg that she wishes to 
make use of the services provided by the repository (e.g. access 
content stored at and/or referenced by the repository, use credit 
provided by the repository, etc.) In response to this message, the 
user/author registration systems of the content system 3302A 
and the clearinghouse system 3302B of the repository transmit 
requests for information from the end user (e.g. in an on-hne 
and/or batch interaction). The information requested by the 
user/author registration system of the content system 3302A may 
include t3T5e(s) of content that the user wishes to access, the 
characteristics of the user's electronic appHance 600, etc. The 
information requested by the user/author registration system of 
the clearinghouse system 3302B may include whether the user 
wishes to establish a credit accoxmt with the clearinghouse 
system 3302B, what other forms of credit the user may wish to 
use for billing purposes, what other clearinghouses may be used 
by the end user in the course of interacting with content obtained 
from the repository, any general rules that the user has 
established regardiog their preferences for release and handling 
of usage analysis information, etc. Once the end user has 
completed the registration information and transmitted it to the 
repository, the repository may construct an account profile for the 
user. In this example, such requests and responses are handled 
by secure VDE communications between secure VDE subsystems 
of both sending and receiving parties. 
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In order to make use of the repository, the end user may 
operate appUcation software. In this example, the end user may 
either make use of a standard application program (e.g. a World 
Wide Web browser such as Mosaic), or they may make use of 
application software provided by the repository after completion 
of the registration process. If the end user chooses to make use of 
the appUcation software provided by the repository, they may be 
able to avoid certain complexities of interaction that may occur if 
a standard package is iised. Although standardized packages are 
often relatively easy to use, a customized package that 
incorporates VDE aware functionality may provide an easier to 
use interface for a user. In addition, certain characteristics of the 
repository may be bxxilt in to the interface to simplify use of the 
services (e.g. similar to the application programs provided by 
America Online). 

The end user may connect to the repository using the 
network. In this example, after the \iser connects to the 
repository, an authentication process will occur. This process can 
either be directed by the user (e.g. through use of a login and 
password protocol) or may be established by the end user^s 
electronic apphance secure subsystems interacting with a 
repository electronic apphance in a VDE authentication. In 
either event, the repository and the user must initially ensure 
that tiiey are connected to the correct other party. In this 
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example, if secured information will flow between the parties, a 
VDE secvired authentication must occur, and a secure session 
must be established. On the other hand, if the information to be 
exchanged has already been secured and/or is available without 
authentication (e.g. certain catalog information, containers that 
have already been encrypted and do not require special handling, 
etc.), the "weaker" form of login/password may be used. 

Once an end user has connected to the VDE repository and 
authentication has occurred, the user may begin manipulating 
and directing their user interface software to browse through a 
repository content catalog 3322 (e.g. lists of publications, 
software, games, movies, etc.), use the search mechanism to help 
locate content of interest, schedule content for delivery, make 
iaquiries of account status, availability of usage analysis 
information, billing information, registration and accoimt profile 
information, etc. If a user is connecting to obtain content, Uie 
usage requirements for that content may be delivered to them. If 
the user is connecting to deliver usage information to the 
repository, information related to that transmission may be 
delivered to them. Some of these processes are described in more 
detail below. 

In this example, when an end user requests content from 
the VDE repository (e.g. by selecting from a menu of available 
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options), the content system 3302A locates the content either in 
the content references and/or in content storage. The content 
system 3302A may then refer to information stored in the content 
catalog 3322, the end user^s account profile, and/or the author's 
account profile to determine the precise nature of container 
format and/or control information that may be required to create 
a VDE content container to fulfill the end user's request. The 
shipping system then accesses the clearinghouse system 3302Bto 
gather any necessary additional control structures to include 
with the container, to deteixoine any characteristics of the 
author^s and/or end user's account profiles that may influence 
either the transaction(s) associated with delivering the content to 
the end user or with whether the transaction may be processed. 
If the transaction is authorized, and all elements necessary for 
the container are available, the controls packager forms a 
package of control information appropriate for this request by 
this end user, and the container packager takes this package of 
control information and the content and forms an appropriate 
container (including any permissions that may be codeliverable 
with the container, incorporating any encryption requirements, 
etc.) If required by the repository or the author's accoimt profile, 
transactions related to delivery of content are recorded by the 
transaction system of the shipping system. When the container 
and any transactions related to deUvery have been completed, 
the container is transmitted across the network to the end user. 
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An end user may make use of credit and/or currency 
securely stored within the end user's VDE installation secure 
subsystem to pay for charges related to use of VDE content 
received from the repository, and/or the user may maintain a 
secure credit and/or currency accoxmt remotely at the repository, 
including a "virtual" repository where payment is made for the 
receipt of such content by an end user. This later approach may 
provide greater assurance for payment to the repository and/or 
content providers particularly if the end user has only an HPE 
based secure subsystem. If an end user electronic credit and/or 
currency account is maintained at the repository in this example, 
charges are made to said account based on end user receipt of 
content from the repository. Further charges to such a remote 
end user account may be made based on end user usage of such 
received content and based upon content usage information 
communicated to the repository clearinghouse system 3302B. 

In this example, if an end user does not have a relationship 
established with a financial provider (who has authorized the 
content providers whose content may be obtained through use of 
the repository to make use of their ciurency and/or credit to pay 
for any usage fees associated with such provider's content) and/or 
if an end user desires a new source of such credit, the end user 
may request credit from the repository clearinghouse system 
3302B. If an end user is approved for credit, the repository may 
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extend credit in the form of credit amounts (e.g. recorded in one 
or more UDEs) associated with a budget method managed by the 
repository. Periodically, usage information associated with such a 
budget method is transmitted by the end user to the audit system 
of the repository. After such a transmission (but potentially 
before the connection is terminated), an amount owing is 
recorded for processing by the billing system, and in accordance 
with the repository's business practices, the amoimt of credit 
available for use by the end user may be replenished in the same 
or subsequent transmission. In this example, the clearinghouse 
of the repository supports a billing system with a paper system 
for resolving amounts owed through the mail, a credit card 
system for resolving amounts owed through charges to one or 
more credit cards, and an electronic funds transfer system for 
resolving such amounts through direct debits to a bank account. 
The repository may automatically make payments determined by 
the disbursement system for monies owed to authors through use 
of similar means. Additional detail regarding the audit process is 
provided below. 

As indicated above, end users 3310 in this example will 
periodically contact the VDE repository to transmit content usage 
information (e.g. related to consimiption of budget, recording of 
other \isage activities, etc.), replenish their budgets, modify their 
accoimt profile, access usage analysis information, and perform 
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other administrative and information exchange activities. In 
some cases, an end user may wish to contact the repository to 
obtain additional control structures. For example, if an end user 
has requested and obtained a VDE content contaiaer from the 
repository, that contaiaer is typically shipped to the end user 
along with control structures appropriate to the content, the 
author's requirements and account profile, the end user's accotmt 
profile, the content catalog 3322, and/or the circvmistances of the 
delivery (e.g. the first delivery firom a particular author, a 
subscription, a marketing promotion, presence and/or absence of 
certain advertising materials, requests formulated on behalf of 
the user by the user^s local VDE instance, etc.) Even though, in 
this example, the repository may have attempted to deUver all 
relevant control structures, some containers may include controls 
structures that allow for options that the end user did not 
anticipate exercising (and the other criteria did not automatically 
select for inclusion in the container) that the end user 
nonetheless determines that they would like to exercise. In this 
case, the end user may wish to contact the repository and request 
any additional control information (including, for example, 
control structures) that they will need in order to make use of the 
content imder such option. 

For example, if an end user has obtained a VDE content 
container with an overall control structure that includes an 
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option that records of the number of times that certain types of 
accesses are made to the container and further bases usage fees 
on the number of such accesses, and another option within the 
overall control structure allows the end user to base the fees paid 
for access to a particular container based on the length of time 
spent using the content of the container, and the end user did not 
originally receive controls that would support this latter form of 
usage, the repository may dehver such controls at a later time 
and when requested by the user. In another example, an author 
may have made changes to their control structures (e.g. to reflect 
a sale, a new discotmting model, a modified business strategy, 
etc.) which a user may or must receive ia order to use the content 
container with the changed control structures. For example, one 
or more control structures associated with a certain VDE content 
container may require a "refresh" for continued authorization to 
employ such structures, or the control structures may expire. 
This allows (if desired) a VDE content provider to periodically 
modify and/or add to VDE control information at an end user's 
site (emplo3dng the local VDE secure subsystem). 

Audit information (related to usage of content received 
from the repository) in this example is securely received from end 
users 3310 by the receipt system 3362 of the clearinghouse. As 
indicated above, this system may process the audit information 
and pass some or all of the output of such a process to the billing 
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system and/or transmit such output to appropriate content 
authors. Such passing of audit information employs secure VDE 
pathway of reporting information handling techniques. Audit 
information may also be passed to the analysis system in order to 
produce analysis results related to end user content usage for use 
by the end user, the repository, third party market researchers, 
and/or one or more authors. Analysis results may be based on a 
single audit transmission, a portion of an audit transmission, a 
collection of audit transmissions from a single end user and/or 
multiple end users 3310, or some combination of audit 
transmissions based on the subject of analysis (e.g. usage 
patterns for a given content element or collection of elements, 
usage of certain categories of content, pa3rment histories, 
demographic usage patterns, etc.) The response system 3364 is 
used to send information to the end user to, for example, 
replenish a budget, deUver usage controls, update permissions 
information, and to transmit certain other information and/or 
messages requested and/or required by an end user in the course 
of their interaction with the clearinghouse. During the course of 
an end user's connections and transmissions to and from the 
clearinghouse, certain transactions (e.g. time, date, and/or 
purpose of a connection and/or transmission) may be recorded by 
the transaction system of the audit system to reflect 
requirements of the repository and/or authors. 
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Certaia audit information may be transmitted to authors. 
For example, author 3306A may require that certain information 
gathered from an end user be transmitted to author 3306A with 
no processing by the audit system. In this case, the fact of the 
transmission may be recorded by the audit system, but author 
3306A may have elected to perform their own usage analysis 
rather than (or in addition to) permitting the repository to access, 
otherwise process and/or otherwise use this information. The 
repository in this example may provide author 3306A with some 
of the usage information related to the repository's budget 
method received from one or more end users 3310 and generated 
by the payment of fees associated with such users' usage of 
content provided by author 3306A . In this case, author 3306A 
may be able to compare certain usage information related to 
content with the usage information related to the repository's 
budget method for the content to analyze patterns of usage (e.g. 
to analyze usage in light of fees, detect possible fraud, generate 
user profile information, etc.) Any usage fees collected by the 
clearinghouse associated with author 3306A's content that are 
due to author 3306A will be determined by the disbursement 
system of the clearinghouse. The disbursement system may 
include usage information (in complete or summary form) with 
any payments to author 3306A resulting from such a 
determination. Such payments and information reporting may 
be an entirely automated sequence of processes occurring within 
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the VDE pathway from end user VDE secure subsystems, to the 
clearinghouse secure subsystem, to the author's secure 
subsystem. 

In this example, end users 3310 may transmit VDE 
permissions and/or other control information to the repository 
3302 permitting and/or denjring access to usage infoinaiation 
collected by the audit system for use by the analysis system. 
This, in part, may help ensure end user^s privacy rights as it 
relates to the usage of such information. Some containers may 
require, as an aspect of their control structures, that an end user 
make usage information available for analysis purposes. Other 
containers may give an end user the option of either allowing the 
usage information to be used for analysis, or denying some or all 
such uses of such information. Some users may elect to allow 
analysis of certain information, and deny this permission for 
other information. End users 3310 in this example may, for 
example, elect to limit the granularity of information that may be 
used for analysis purposes (e.g. an end user may allow analysis of 
the number of movies viewed in a time period but disallow use of 
specific titles, an end user may allow release of their ZIP code for 
demographic analysis, but disallow use of their name and 
address, etc.) Authors and/or the repository 3302 may, for 
example, choose to charge end users 3310 smaller fees if they 
agree to release certain usage information for analysis purposes. 
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In this example, the repository 3302 may receive content 
produced by more than one author. For example, author B, 
author C, and author D may each create portions of content that 
will be delivered to end users 3310 in a single container. For 
example, author B may produce a reference work. Author C may 
produce a commentary on author B's reference work, and author 
D may produce a set of illustrations for author B's reference work 
and author C's commentary. Author B may collect together 
author C's and author D's content and add further content (e.g. 
the reference work described above) and include such content in a 
single container which is then transmitted to the repository 3302. 
Alternatively, each of the authors may transmit their works to 
the repository 3302 independently, with an indication that a 
template should be used to combine their respective works prior 
to shipping a container to an end user. StiU alternatively, a 
container reflecting the overall content structure may be 
transmitted to the repository 3302 and some or aU of the content 
may be referenced in the content references rather than delivered 
to the repository 3302 for storage in content storage. 

When an end user makes use of container content, their 
content usage information may, for example, be segregated in 
accordance with control structures that organize usage 
information based at least in part on the author who created that 
segment. Alternatively, the authors and/or the VDE repository 
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3302 may negotiate one or more other techniques for securely 
dividing and/or sharing usage information in accordance with 
VDE control infonnation. Furthermore, control structures 
associated with a container may implement models that 
differentiate any usage fees associated with portions of content 
based on usage of particular portions, overall usage of the 
container, particular patterns of usage, or other mechanism 
negotiated (or otherwise agreed to) by the authors. Reports of 
usage infonnation, analysis results, disbursements, and other 
clearinghouse processes may also be generated in a manner that 
reflects agreements reached by repository 3302 participants 
(authors, end users 3310 and/or the repository 3302) with respect 
to such processes. These agreements may be the result of a VDE 
control information negotiation amongst these participants. 

In this example, one type of author is a publisher 3308. 
The publisher 3308 in this example coimnunicates over an 
"internal" network with a VDE based local repository 3302 and 
over the network described above with the pubHc repository 3302. 
The publisher 3308 may create or otherwise provide content 
and/or VDE control stracture templates that are delivered to the 
local repository 3302 for use by other participants who have 
access to the "internal" network. These templates may be used to 
describe the structure of containers, and may further describe 
whom in the publisher 3308's organization may take which 
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actions with respect to the content created within the 
organization related to pubHcation for delivery to (and/or 
referencing by) the repository 3302. For example, the publisher 
3308 may decide (and control by use of said temple) that a 
periodical publication will have a certain format with respect to 
the structure of its content and the types of information that may 
be included (e.g. text, graphics, multimedia presentations, 
advertisements, etc.), the relative location and/or order of 
presentation of its content, the length of certain segments, etc. 
Furthermore, the publisher 3308 may, for example, determine 
(through distribution of appropriate permissions) that the 
publication editor is the only party that may grant permissions to 
write into the container, and that the organization Hbrarian is 
the only party that may index and/or abstract the content. In 
addition, the publisher 3308 may, for example, allow only certain 
one or more parties to finalize a container for delivery to tiie 
repository 3302 in usable form (e.g. by maintaining control over 
the type of permissions, including distribution permissions, that 
may be required by the repository 3302 to perform subsequent 
distribution activities related to repository end users 3310). 

In this example, author 3306E is connected directly to the 
publisher 3308, such that the publisher 3308 can provide 
templates for that author that establish the character of 
contaiaers for author 3306E's content. For example, if author 
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3306E creates books for distribution by the publisher 3308, the 
publisher 3308 may define the VDE control structure template 
which provides control method options for author 3306E to select 
firom and whidi provides VDE control structures for securely 
distributing author 3306E's works. Author 3306E and the 
publisher 3308 may employ VDE negotiations for the template 
characteristics, specific control structures, and/or parameter data 
used by author 3306E. Author 3306E may then use the 
template(s) to create control structures for their content 
containers. The publisher 3308 may then deUver these works to 
the repository 3302 under a VDE extended agreement comprising 
electronic agreements between author 3306E and the pubUsher 
3308 and the repository 3302 and the publisher 3308. 

In this example, the publisher 3308 may also make author 
3306E*s work available on the local repository 3302. The editor 
may authorize (e.g. through distribution of appropriate 
permissions) author F to create certain portions of content for a 
publication. In this example, the editor may review and/or 
modify author F's work and further include it in a container with 
content provided by author 3306E (available on the local 
repository 3302). The editor may or may not have permissions 
from the publisher 3308 to modify author 3306E's content 
(depending on any negotiation(s) that may have occurred 
between the publisher 3308 and author 3306E, and the publisher 
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3308*s decision to extend such rights to the editor if permissions 
to modiiy author 3306E's content are held in redistributable form 
by the publisher 3308), The editor may also include content from 
other authors by (a) using a process of granting permissions to 
authors to write directly into the containers and/or (b) retrieving 
containers from the local repository 3302 for inclusion. The local 
repository 3302 may also be used for other material used by the 
publisher 3308's organization (e.g. databases, other reference 
works, internal documents, draft works for review, training 
videos, etc.), such material may, given appropriate permissions, 
be employed in VDE container collections of content created by 
the editor. 

The Hbrarian in this example has responsibility for 
building and/or editing inverted indexes, ke3rword lists (e.g. from 
a restricted vocabulary), abstracts of content, revision histories, 
etc. The publisher 3308 may, for example, grant permissions to 
only the hbrarian for creating this type of content. The pubUsher 
3308 may further require that this building and/or editing occur 
prior to release of content to the repository 3302. 
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Example — Evolation and Tranaformatioxi of VDE Managed 
Content and Control Information 

The VDE content control architecture allows content 
control information (such as control information for governing 
content usage) to be shaped to conform to VDE control 
information reqviirements of multiple parties. Formulating such 
multiple party content control information normally involves 
securely deriving control information from control information 
securely contributed by parties who play a role in a content 
handling and control model (e.g. content creator(s), provider(s), 
user(s), cleariaghouse(s), etc.). Mviltiple party control 
infoimation may be necessary in order to combine multiple pieces 
of independently managed VDE content into a single VDE 
container object (particularly if such independently managed 
content pieces have differing, for example conflicting, content 
control information). Such secure combination of VDE managed 
pieces of content will frequently require VDE's ability to securely 
derive content control information whidi accommodates the 
control information requirements, including any combiaatorial 
rules, of the respective VDE managed pieces of content and 
reflects an acceptable agreement between such plural control 
information sets. 

The combination of VDE managed content pieces may 
result in a VDE managed composite of content. Combining VDE 
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managed content must be carried out in accordance with relevant 
content control information associated with said content pieces 
and processed through the use of one or more secure VDE 
sub-system PPEs 650. VDE's ability to support the embedding, 
or otherwise combining, of VDE managed content pieces, so as to 
create a combination product comprised of various pieces of VDE 
content, enables VDE content providers to optimize their VDE 
electronic content products. The combining of VDE managed 
content pieces may result in a VDE content container which 
"holds" consohdated content and/or concomitant, separate, nested 
VDE content containers. 

VDE*s support for creation of content containers holding 
distinct pieces of VDE content portions that were previously 
managed separately allows VDE content providers to develop 
products whose content control information reflects value 
propositions consistent with the objectives of the providers of 
content pieces, and further are consistent with the objectives of a 
content aggregator who may be producing a certain content 
combination as a product for commercial distribution. For 
example, a content product "launched" by a certain content 
provider into a commercial channel (such as a network 
repository) may be incorporated by different content providers 
and/or end-users into VDE content containers (so long as such 
incorporation is allowed by the launched product's content 
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control information). These different content providers and/or 
end-users may, for example, submit differing control information 
for regulating use of such content. They may also combine in 
different combinations a certain portion of launched content with 
content received from other parties (and/or produced by 
themselves) to produce different content collections, given 
appropriate authorizations. 

VDE thus enables copies of a given piece of VDE managed 
content to be securely combined into differing consolidations of 
content, each of which reflects a product strategy of a different 
VDE content aggregator. VDE's content aggregation capability 
wiU result in a wider range of competitive electronic content 
products which offer differing overall collections of content and 
may employ differing content control information for content that 
may be common to such multiple products. Importantly, VDE 
securely and flexibly supports editing the content in, extracting 
content from, embedding content into, and otherwise shaping the 
content composition of, VDE content containers. Such capabilities 
allow VDE supported product models to evolve by progressively 
reflecting the requirements of "next" participants in an electronic 
commercial model. As a result, a given piece of VDE managed 
content, as it moves through pathways of handling and 
branching, can participate in many different content container 
and content control information commercial models. 
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VDE content, and the electronic agreements associated 
with said content, can be employed and progressively 
manipulated in commercial ways which reflect traditional 
business practices for non-electronic products (though VDE 
supports greater flexibility and efl&ciency compared with most of 
such traditional models). Limited only by the VDE control 
information employed by content creators, other providers, and 
other pathway of handling and control participants, VDE allows 
a "natural" and unhindered flow of, and creation of, electronic 
content product models. VDE provides for this flow of VDE 
products and services through a network of creators, providers, 
and users who successively and securely shape and reshape 
product composition through content combining, extracting, and 
editing within a Virtual Distribution Environment. 

VDE provides means to securely combine content provided 
at different times, by differing sources, and/or representing 
differing content types. These types, timings, and/or different 
sources of content can be employed to form a complex array of 
content within a VDE content container. For example, a VDE 
content container may contain a plurality of different content 
container objects, each containing different content whose usage 
can be controlled, at least io part, by its own container's set of 
VDE content control information. 
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A VDE content container object may, through the use of a 
secure VDE sub-system, be "safely" embedded within a "parent" 
VDE content container. This embedding process may involve the 
creation of an embedded object, or, alternatively, the containing, 
within a VDE content container, of a previously independent and 
now embedded object by, at minimum, appropriately referencing 
said object as to its location. 

An embedded content object within a parent VDE content 
container: 

(1) may have been a previously created VDE content 
container which has been embedded into a parent VDE 
content container by securely transforming it from an 
independent to an embedded object through the secure 
processings of one or more VDE component assembUes 
within a VDE secure sub-system PPE 650. In this 
instance, an embedded object may be subject to content 
control information, including one or more permissions 
records associated with the parent container, but may not, 
for example, have its own content control information other 
than content identification information, or the embedded 
object may be more extensively controlled by its own 
content control information (e.g. permissions records). 



857 



(2) may include content which was extracted firom 
another VDE content conteiiner (along with content control 
information, as may be applicable) for inclusion into a 
parent VDE content container in the form of an embedded 
VDE content container object. In this case, said extraction 
and embedding may use one or more VDE processes which 
run securely within a VDE secure sub-system PPE 650 and 
which may securely remove (or copy) the desired content 
from a source VDE content container and place such 
content in a new or existing container object, either of 
which may be or become embedded into a parent VDE 
content container. 

(3) may include content which was first created and 
then placed in a VDE content container object. Said 
receiving^ontainer may already be embedded in a parent 
VDE content container and may already contain other 
content. The container in which such content is placed 
may be specified using a VDE aware application which 
interacts with content and a secure VDE subsystem to 
securely create such VDE container and place such content 
therein followed by securely embedding such container into 
the destination, parent container. Alternatively, content 
may be specified without the use of a VDE aware 
application, and then manipulated using a VDE aware 
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application in order to manage movement of the content 
into a VDE content container. Such an application may be 
a VDE aware word processor, desktop and/or multimedia 
publishing package, graphics and/or presentation package, 
etc. It may also be an operating system function (e.g. part 
of a VDE aware operating system or mini-appHcation 
operating with an 0/S such as a Microsoft Windows 
compatible object packaging application) and movement of 
content from "outside" VDE to within a VDE object may, 
for example, be based on a "drag and drop ' metaphor that 
involves "dragging" a file to a VDE container object using a 
pointing device such as a mouse. Alternatively, a user may 
"cut" a portion of content and "paste" such a portion into a 
VDE container by first placing content into a "clipboard," 
then selecting a target content object and pasting the 
content into such an object. Such processes may, at the 
direction of VDE content control information and under the 
control of a VDE secure subsystem, put the content 
automatically at some position in the target object, such as 
at the end of the object or in a portion of the object that 
corresponds to an identifier carried by or with the content 
such as a field identifier, or the embedding process ndght 
pop-up a user interface that allows a user to browse a 
target object's contents and/or table of contents and/or 
other directories, indexes, etc. Such processes may further 
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allow a user to make certain decisions concerning VDE 
content control information (budgets limiting use, 
reporting pathwayCs), usage registration requirements, 
etc.) to be applied to such embedded content and/or may 
involve selecting the specific location for embedding the 
content, all such processes to be performed as 
transparently as practical for the application. 

(4) may be accessed in conjunction with one or more 
operating system utilities for object embedding and 
linking, such as utilities conforming to the Microsoft OLE 
standard. In this case, a VDE container may be associated 
with an OLE "link." Accesses (including reading content 
firom, and writing content to) to a VDE protected container 
may be passed fi:-om an OLE aware application to a VDE 
aware OLE application that accesses protected content in 
conjunction with control information associated with such 
content. 

A VDE aware application may also interact with 
component assemblies within a PPE to allow direct editing of the 
content of a VDE container, whether the content is in a parent or 
embedded VDE content container. This may include the use of a 
VDE aware word processor, for example, to directly edit (add to, 
delete, or otherwise modify) a VDE container's content. The 
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secure VDE processes underl3dng VDE container content editing 
may be largely or entirely transparent to the editor (user) and 
may transparently enable the editor to securely browse through 
(using a VDE aware application) some or aU of the contents of, 
and securely modify one or more of the VDE content containers 
embedded in, a VDE content container hierarchy. 

The embedding processes for all VDE embedded content 
containers normally involves securely identifying the appropriate 
content control information for the embedded content. For 
example, VDE content control information for a VDE installation 
and/or a VDE content container may securely, and transparently 
to an embedder (user), apply the same content control 
information to edited (such as modified or additional) container 
content as is appUed to one or more portions (including all, for 
example) of previously "in place" content of said container and/or 
secxu-ely apply control information generated through a VDE 
control information negotiation between control sets, and/or it 
may apply control information previously applied to said content. 
AppHcation of control information may occur regardless of 
whether the edited content is in a parent or embedded container. 
This same capability of securely applying content control 
information (which may be automatically and/or transparently 
appUed), may also be employed with content that is embedded 
into a VDE container through extracting and embedding content. 
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or through the moving, or copying and embedding, of VDE 
container objects. Application of content control information 
normally occurs securely within one or more VDE secure 
sub-system PPEs 650. This process may employ a VDE template 
that enables a user, through easy to use GUI user interface tools, 
to specify VDE content control information for certain or all 
embedded content, and which may include menu driven, user 
selectable and/or definable options, such as picking amongst 
alternative control methods (e.g. between different forms of 
metering) which may be represented by different icons picturing 
(symbolizing) different control functions and apply such functions 
to an iucrement of VDE secured content, such as an embedded 
object listed on an object directory display. 

Extracting content from a VDE content container, or 
editing or otherwise creating VDE content with a VDE aware 
application, provides content which may be placed within a new 
VDE content container object for embedding into said parent 
VDE container, or such content may be directly placed into a 
previously existing content container. All of these processes may 
be managed by processing VDE content control information 
within one or more VDE installation seciure sub-systems. 

VDE content container objects may be embedded in a 
parent object through control iixformation referenced by a parent 
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object pennissions record that resolves said embedded object's 
location and/or contents. In this case, Httle or no change to the 
embedded object's previously existing content control information 
may be required, VDE securely managed content which is 
relocated to a certain VDE content container may be relocated 
through the use of VDE sub-system secure processes which may, 
for example, continue to maintain relocated content as encrypted 
or otherwise protected (e.g. by secure tamper resistant barrier 
502) during a relocation/embedding process. 

Embedded content (and/or content objects) may have been 
contributed by di£ferent parties and may be integrated into a 
VDE container through a VDE content and content control 
information integration process securely managed through the 
use of one or more secure VDE subsystems. This process may, for 
example, involve one or more of: 

(1.) securely appl3mig instructions controlling the 
embedding and/or use of said submitted content, wherein said 
instructions were securely put in place, at least in part, by a 
content provider and/or user of said VDE container. For 
example, said user and/or provider may interact with one or more 
user interfaces offering a selection of content embedding and/or 
control options (e.g. in the form of a VDE template). Such options 
may include which, and/or whether, one or more controls should 
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be applied to one or more portions of said content and/or the 
entry of content control parameter data (such a time period 
before which said content may not be used, cost of use of content, 
and/or pricing discoimt control parameters such as software 
program suite sale discovmting). Once required and/or optional 
content control information is established by a provider and/or 
user, it may function as content control information which may 
be, in part or in full, applied automatically to certain, or all, 
content which is embedded in a VDE content container. 

(2.) secure VDE managed negotiation activities, including 
the use of a user interface interaction between a \iser at a 
receiving VDE installation and VDE content control information 
associated with the content being submitted for embedding. For 
example, such associated control information may propose 
certain content information and the content receiver may, for 
example, accept, select from a plurality, reject, offer alternative 
control information, and/or apply conditions to the use of certain 
content control information (for example, accept a certain one or 
more controls if said content is used by a certain one or more 
users and/or if the volume of usage of certain content exceeds a 
certain level). 

(3.) a secure, automated, VDE electronic negotiation 
process involving VDE content control information of the 
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receiving VDE content container and/or VDE installation and 
content control information associated with the submitted 
content (such as control information in a permissions record of a 
contributed VDE object, certain component assemblies, 
parameter data in one or more UDEs and/or MDEs, etc.). 

Content embedded into a VDE content container may be 
embedded in the form of: 

(1.) content that is directly, securely integrated into 
previously existing content of a VDE content container (said 
container may be a parent or embedded content container) 
without the formation of a new container object. Content control 
information associated with said content after embedding must 
be consistent with any pre-embeddiag content control 
information controlling, at least in part, the establishment of 
control information required after embedding. Content control 
information for such directly integrated, embedded content may 
be integrated into, and/or otherwise comprise a portion of, control 
information (e.g. in one or more permissions records containing 
content control information) for said VDE container, and/or 

(2.) content that is integrated into said container in one or 
more objects which are nested within said VDE content container 
object. In this instance, control information for said content may 
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be carried by either the content control information for the parent 
VDE content container^ or it may, for example, be in part or in 
full carried by one or more permissions records contained within 
and/or specifically associated with one or more content containing 
nested VDE objects. Such nesting of VDE content containing 
objects within a parent VDE content container may employ a 
number of levels, that is a VDE content container nested in a 
VDE content container may itself contain one or more nested 
VDE content containers. 

VDE content containers may have a nested structure 
comprising one or more nested containers (objects) that may 
themselves store fiirther containers and/or one or more types of 
content, for example, text, images, audio, and/or any other type of 
electronic information (object content may be specified by content 
control information referencing, for example, byte ofiset locations 
on storage media). Such content may be stored, communicated, 
and/or used in stream (such as dynamically accumulating and/or 
flowing) and/or static (fixed, such as predefined, complete file) 
form. Such content may be derived by extracting a subset of the 
content of one or more VDE content containers to directly 
produce one or more restdting VDE content containers. VDE 
securely managed content (e.g. through the use of a VDE aware 
application or operating system having extraction capabiUty) 
may be identified for extraction from each of one or more 
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locations within one or more VDE content containers and may 
then be securely embedded into a new or existing VDE content 
container through processes executing VDE controls in a secure 
subsystem PPE 650. Such extraction and embedding (VDE 
"exporting") involves securely protecting, including securely 
executing, the VDE exporting processes. 

A VDE activity related to VDE exporting and embedding 
involves performing one or more transformations of VDE content 
from one seciire form to one or more other secure forms. Such 
transformation(s) may be performed with or without moving 
transformed content to a new VDE content container (e.g. by 
component assemblies operating within a PPE that do not reveal, 
in unprotected form, the results or other output of such 
transforming processes without further VDE processes governing 
use of at least a portion of said content). One example of such a 
transformation process may involve performing mathematical 
transformations and producing resiilts, such as mathematical 
results, while retaining, none, some, or all of the content 
information on which said transformation was performed. Other 
examples of such transformations include converting a document 
format (such as from a WordPerfect format to a Word for 
Windows format, or an SGML document to a Postscript 
document), changing a video format (such as a QuickTime video 
format to a MPEG video format), performing an artificial 
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intelligence process (such as analyzing text to produce a 
siumnary report), and other processing that derives VDE secured 
content from other VDE secured content. 

Figure 79 shows an example of an arrangement of 
commercial VDE users. The users in this example create, 
distribute, redistribute, and use content in a variety of ways. 
This example shows how certain aspects of control information 
associated with content may evolve as control infoimation passes 
through a chain of handling and control. These VDE users and 
controls are explained in more detail below. 

Creator A in this example creates a VDE container and provides 
associated content control information that includes references 
(amongst other things) to several examples of possible "types" of 
VDE control information. In order to help illustrate this 
example, some of the VDE control information passed to another 
VDE participant is grouped into three categories in the following 
more detailed discussion: distribution control information, 
redistribution control information, and usage control information. 
In this example, a fourth category of embedding control 
information can be considered an element of all three, of the 
preceding categories. Other groupings of control information are 
possible (VDE does not require organizing control information in 
this way). The content control information associated with this 



868 



wo 96/27155 



PCTAJS96/02303 



example of a container created by creator A is indicated on 
Figure 80 as C^. Figure 80 further shows the VDE participants 
who may receive enabling control information related to creator 
A*s VDE content container. Some of the control information in 
this example is explained in more detail below. 

Some of the distribution control information (in this 
example, control information primarily associated with creation, 
modification, and/or use of control information by distributors) 
specified by creator A includes: (a) distributors will compensate 
creator A for each active user of the content of the container at 
the rate of $10 per user per month, (b) distributors are budgeted 
such that they may allow no more than 100 independent users to 
gain access to such content (i.e. may create no more than 100 
permissions records reflecting content access rights) without 
replenishing this budget, and (c) no distribution rights may be 
passed on in enabling control information (e.g. permissions 
records and associated component assemblies) created for 
distribution to other participants. 

Some of the content redistribution control information (in 
this example, control information produced by a distributor 
within the scope permitted by a more senior participant in a 
chain of handling and control and passed to user/providers (in 
this example, user/distributors) and associated with controls 
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and/or other requirements associated with redistribution 
activities by such user/distributors) specified by creator A 
includes: (a) a requirement that control information enabling 
content access may be redistributed by user/distributors no more 
than 2 levels, and further requires that each redistribution 
decrease this value by one, such that a first redistributor is 
restricted to two levels of redistribution, and a second 
redistributor to whom the first redistributor delivers permissions 
will be restricted to one additional level of redistribution, and 
users receiving permissions firom the second redistributor will be 
unable to perform further redistribution (such a restriction may 
be enforced, for example, by including as one aspect of a VDE 
control method associated with creating new permissions a 
requirement to invoke one or more methods that; (i) locate the 
current level of redistribution stored, for example, as an integer 
value in a UDE associated with such one or more methods, (ii) 
compare the level of redistribution value to a limiting value, and 
(iii) if such level of redistribution value is less than the limiting 
value, increment such level of redistribution value by one before 
delivering such a UDE to a user as an aspect of content control 
information associated with VDE managed content, or fail the 
process if such value is equal to such a limiting value), and (b) no 
other special restrictions are placed on redistributors. 
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Some of the usage control mformation (in this example, 
control information that a creator requires a distributor to 
provide in control information passed to iisers and/or 
user/distributors) specified by creator A may include, for 
example: (a) no moves (a form of distribution e^lained elsewhere 
in this document) of the content are permitted, and (b) 
distributors will be required to preserve (at a minimum) 
sufficient metering information within usage permissions in 
order to calculate the number of users who have accessed the 
container in a month and to prevent farther usage after a rental 
has expired (e.g. by using a meter method designed to report 
access usages to creator A through a chain of handling and 
reporting, and/or the use of expiration dates and/or time-aged 
encrjrption keys within a permissions record or other required 
control information). 

Some of the extracting and/or embedding control 
information specified by creator A in this example may include a 
requirement that no extracting and/or embedding of the content 
is or will be permitted by parties in a chain of handling and 
control associated with this control information, except for users 
who have no redistribution rights related to such VDE secured 
content provided by Creator A. Alternatively, or in addition, as 
regards different portions of said content, control information 
enabling certain extraction and/or embedding may be provided 
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along with the redistribution rights described in this example for 
use by user/distributors (who may include user content 
aggregators, that is they may provide content created by, and/or 
received from, diGferent sources so as to create their own content 
products). 

Distributor A in this example has selected a basic approach 
that distributor A prefers when offering enabling content control 
information to users and/or user/distributors that favors rental of 
content access rights over other approaches. In this example, 
some of the control information provided by creators will permit 
distributor A to fulfill this favored approach directly, and other 
control structures may disallow this favored approach (unless, for 
example, distributor A completes a successful VDE negotiation 
allowing such an approach and supporting appropriate control 
information). Many of the control structures received by 
distributor A, in this example, are derived from (and reflect the 
results of) a VDE negotiation process in which distributor A 
indicates a preference for distribution control information that 
authorizes the creation of usage control information reflecting 
rental based usage rights. Such distribution control information 
may allow distributor A to introduce and/or modify control 
structures provided by creators in such a way as to create control 
information for distribution to users and/or user/distributors 
that, in effect, "rent" access rights. Furthermore, distributor A in 
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this example services requests from user/distributors for 
redistribution rights, and therefore also favors distribution 
control information negotiated (or otherwise agreed to) with 
creators that permits distributor A to include such rights as an 
aspect of control information produced by distributor A. 

In this example, distributor A and creator A may \ise VDE 
to negotiate (for example, VDE negotiate) for a distribution 
relationship. Since in this example creator A has produced a 
VDE content container and associated control information that 
indicates creator A's desire to receive compensation based on 
rental of usage rights, and such control information further 
indicates that creator A has placed acceptable restrictions in 
redistribution control information that distributor A may use to 
service requests from user/distributors, distributor A may accept 
creator A's distribution control information without any 
negotiated changes. 

After receiving enabling distribution control information 
from creator A, distributor A may manipulate an appUcation 
program to specify some or all of the particulars of usage control 
information for users and/or user/distributors enabled by 
distributor A (as allowed, or not prevented, by senior control 
information). Distributor A may, for example, determine that a 
price of $15 per month per user would meet distributor A's 
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biisiness objectives with respect to pajrments firom users for 
creator A's container. Distributor A must specify usage control 
information that fulfill the requirements of the distribution 
control information given to distributor A by creator A. For 
example, distributor A may include any required expiration dates 
and/or time-aged encryption keys in the specification of control 
information in accordance with creator A's requirements. If 
distributor A failed to include such information (or to meet other 
requirements) in their specification of control information, the 
control method(s) referenced in creator A's permissions record 
and securely invoked within a PPE 650 to actually create this 
control information would, in this example, fail to execute in the 
desired way (e.g. based on checks of proposed values in certain 
fields, a requirement that certain methods be included in 
permissions, etc.) until acceptable information were included in 
distributor A's control information specification. 

In this example, user A may have estabhshed an account 
with distributor A such that user A may receive VDE managed 
content usage control information from distributor A. User A 
may receive content usage control information from distributor A 
to access and use creator A's content. Since the usage control 
information has passed through (and been added to, and/or 
modified by) a chain of handling including distributor A, the 
usage control information requested from distributor A to make 



874 



wo 96/27155 



PCT/US96/02303 



use of creator A*s content wiD, in this example, reflect a composite 
of control information from creator A and distributor A. For 
example, creator A may have established a meter method that 
will generate an audit record if a user accesses creator A's VDE 
controlled content container if the user has not previously 
accessed the container within the same calendar month (e.g. by 
storing the date of the user's last access in a UDE associated with 
an open container event referenced in a method core of such a 
meter method and comparing such a date upon subsequent 
access to determine if such access has occurred witiiin the same 
calendar month). Distributor A may make use of such a meter 
method in a control method (e.g. also created and/or provided by 
creator A, or created and/or provided by distributor A) associated 
with opening creator A's container that invokes one or more 
billing and/or budget methods created, modified, referenced in 
one or more permissions records and/or parameterized by 
distributor A to reflect a charge for monthly usage as described 
above. If distributor A has specified usage and/or redistribution 
control information within the boundaries permitted by creator 
A's senior control information, a new set of control information 
(shown as D^(C^) ^ Figure 80) may be associated with creator 
A's VDE content container when control information associated 
with that container by distributor A are delivered to users and/or 
user/distributors (tiser A, user B, and user/distributor A in this . 
example). 
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In this example, user A may receive control ioformation 
related to creator A's VDE content container from distributor A. 
This control information may represent an extended agreement 
between user A and distributor A (e.g. regarding fees associated 
with use of content, limited redistribution rights, etc.) and 
distributor A and creator A (e.g. regarding the character, extent, 
handling, reporting, and/or other aspects of the use and/or 
creation of VDE controlled content usage information and/or 
content control information received, for example, by distributor 
A from creator A, or vice versa, or in other VDE content usage 
information handling). Such an extended agreement is enforced 
by processes operating within a secxire subsystem of each 
participant's VDE installation. The portion of such an extended 
agreement representing control information of creator A as 
modified by distributor A in this example is represented by 
D^(C^), including, for example, (a) control structures (e.g. one or 
more component assemblies, one or more permissions records, 
etc.), (b) the recording of usage information generated in the 
course of using creator A's content in conformance with 
requirements stated in such control information, (c) making 
payments (including automatic electronic credit and/or coirrency 
payments ' executed" in response to such iisage) as a consequence 
of such usage (wherein such consequences may also include 
electronically, securely and automatically receiving a bill 
delivered through use of VDE, wherein such a bill is derived from 



876 



wo 96/27155 



PCrAJS96/02303 



said usage), (d) other actions by user A and/or a VDE secure 
subsystem at viser A's VDE instaUation that are a consequence of 
such usage and/or such control information. 

In addition to control information ^^(C^), user A may 
enforce her own control information on her usage of creator A's 
VDE content container (within the limits of senior content control 
information). This control information may include, for example, 
(a) transaction, session, time based, and/or other thresholds 
placed on usage such that if such thresholds (e.g. quantity limits, 
for example, self imposed limits on the amoxmt of expenditure per 
activity parameter) are exceeded user A must give expUcit 
approval before continuing, (b) privacy requirements of user A 
witii respect to the recording and/or transmission of certain usage 
related details relating to user A's usage of creator A's content, (c) 
backup requirements that user A places on herself in order to 
help ensure a preservation of value remaining in creator A's 
content container and/or local store of electronic credit and/or 
currency that might otherwise be lost due to system failure or 
other causes. The right to perform in some or all of these 
examples of user A's control information, in some examples, may 
be negotiated with distributor A. Other such user specified 
control information may be enforced independent of any control 
information received from any content provider and may be set in 
relationship to a user*s, or more generally, a VDE installation's, 
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control information for one or more classes, or for aU classes, of 
content and/or electronic appliance usage. The entire set of VDE 
control information that may be in place during user A's usage of 
creator A's content container is referred to on Figure 80 as 
U^(D^(C^)). This set may represent the control information 
originated by creator A, as modified by distributor A, as further 
modified by user A, all in accordance with control information 
from value chain parties providing more senior control 
information, and therefore constitutes, for this example, a 
"complete" VDE extended agreement between user A, distributor 
A, and creator A regarding creator A*s VDE content container. 
User B may, for example, also receive such control information 
D^(C^) from distributor A, and add her own control information 
in authorized ways to form the set Ug(D^(C^)). 

User/distributor A may also receive VDE control 
information from distributor A related to creator A's VDE content 
container. User/distributor A may, for example, both use creator 
A's content as a user and act as a redistributor of control 
information. In tliis example, control infonnation D^(C^) both 
enables and limits these two activities. To the extent permitted 
by D^CCy^), user/distributor A may create their own control 
information based on D^(C^) - UI^a^^a^^A^^ " controls both 
user/distributor A's xisage (in a manner similar to that described 
above in connection with user A and user B), and control 
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iiiformation redistributed by user/distributor A (in a manner 
similar to that described above in connection with distributor A). 
For example, if user/distributor A redistributes UD^(D^(C^)) to 
user/distributor B, user/distributor B may be required to report 
certain usage information to user/distributor A that was not 
required by either creator A or distributor A. Alternatively or in 
addition, user/distributor B may, for example, agree to pay 
user/distributor A a fee to use creator A's content based on the 
number of minutes user/distributor B uses creator A's content 
(rather than the monthly fee charged to user/distributor A by 
distributor A for user/distributor B's usage). 

In this example, user/distributor A may distribute control 
information UD^(D^(C^)) to user/distributor B that permits 
user/distributor B to further redistribute control information 
associated with creator A's content. User/distributor B may 
make a new set of control information UDg{lID^(D^(C^))). If the 
control information UI^a^D^(C^)) permits user/distributor B to 
redistribute, the restrictions on redistribution from creator A in 
this example wiU prohibit the set UDg(UD^(D^(C^))) frx>m 
including fiirther redistribution rights (e.g. providing 
redistribution rights to user B) because the chain of handling 
from distributor A to user/distributor A (distribution; and the 
continuation of that chain from user/distributor A to 
user/distributor B (first level of redistribution) and the further 
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continuation of that chain to another user represents two levels 
of redistribution, and, therefore, a set UDg(UD^(D^(C^))) may 
not, in this example, include further redistribution rights. 

As indicated in Figure 79, user B may employ content from 
both user/distributor B and distributor A (amongst others). In 
this example, as illustrated in Figure 80, user B may receive 
control information associated with creator A's content from 
distributor A and/or user/distributor B. In either case, user B 
may be able to establish their own control information on Da(C .) 

A A 

and/or UDg(IJD^(D^(C^))), respectively (if allowed by such 
control information. The resulting set(s) of control information, 
Ub(D^(C^)) and/or U3(UD3(UD^(D^(C^)))) respectively, may 
represent different control scenarios, each of which may have 
benefits for user B. As described in connection with an earher 
example, user B may have received control information from 
user/distributor B along a chain of handling including 
user/distributor A that bases fees on the nimiber of minutes that 
user B makes use of creator A's content (and requiring 
user/distributor A to pay fees of $15 per month per user to 
distributor A regardless of the amotmt of usage by user B in a 
calendar month). This may be more favorable under some 
circumstances than the fees required by a direct use of control 
information provided by distributor A, but may also have the 
disadvantage of an exhausted chain of redistribution and, for 
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example, farther usage information reporting requirements 
included in UDgOJD^CD^CC^))). If the two sets of control 
information D^(C^) and UDgdJD^CD^CC^))) permit (e.g. do not 
require exclusivity enforced, for example, by using a registration 
interval in an object registry used by a secure subsystem of user 
B's VDE installation to prevent deregistration and reregistration 
of different sets of control information related to a certain 
container (or registration of plural copies of the same content 
having different control information and/or being supplied by 
different content providers) within a particular interval of time as 
an aspect of an extended agreement for a chain of handling and 
control reflected in D^(C^) and/or UDgCUD^CD^CC^))) ), user B 
may have both sets of control information registered and may 
make use of the set that they find preferable under a given usage 
scenario. 

In this example, creator B creates a VDE content container 
and associates a set of VDE control information with such 
container indicated in Figure 81 as Cg. Figure 81 further shows 
the VDE participants who may receive enabling control 
information related to creator B's VDE content container. In this 
example, control information may indicate that distributors of 
creator B's content: (a) must pay creator B $0.50 per kilobyte of 
information decrypted by users and/or user/distributors 
authorized by such a distributor, (b) may allow users and/or 
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user/distributors to embed their content container in another 
container while maintaining a requirement that creator B receive 
$0.50 per kilobyte of content decrypted, (c) have no restrictions on 
the nimiber of enabling control information sets that may be 
generated for users and/or user/distributors, (d) must report 
information concerning the number of such distributed control 
information sets at certain tiaie intervals (e.g. at least once per 
month), (e) may create control information that allows users 
and/or user/distributors to perform up to three moves of their 
control information, (f) may allow redistribution of control 
information by user/distributors up to three levels of 
redistribution, (g) may allow up to one move per user receiving 
redistributed control information from a user/distributor. 

In this example, distributor A may request control 
information from creator B that enables distributor A to 
distribute control information to users and/or user/distributors 
that is associated with the VDE container described above in 
coxmection with creator B. As stated earlier, distributor A has 
established a business model that favors "rental" of access rights 
to users and user/distributors receiving such rights from 
distributor A. Creator B's distribution control information in this 
example does not force a model including "rental" of rights, but 
rather bases payment amounts on the quantity of content 
decrypted by a user or user/distributor. In this example, 
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distributor A may use VDE to negotiate with creator B to include 
a different usage information recording model allowed by creator 
B. This model may be based on including one or more meter 
methods in control structures associated with creator B's 
container that will record the nxmiber of bytes decrypted by end 
users, but not charge users a fee based on such decryptions; 
rather distributor A proposes, and creator B's control information 
agrees to allow, a "rental" model to charge users, and determines 
the amount of pasrments to creator B based on information 
recorded by tiie bytes decrypted meter methods and/or collections 
of payment from users. 

Creator B may, for example, (a) accept such a new control 
model with distributor A acting as the auditor (e.g. trusting a 
control method associated with processing audit information 
received by distributor A from users of creator B's content using a 
VDE secure subsystem at distributor A's site, and further to 
securely calculate amounts owed by distributor A to creator B 
and, for example, making payments to creator B usiag a 
mutually acceptable budget method managing pajrments to 
creator B from credit and/or currency held by distributor A), (b) 
accept such a new control model based on distributor A's 
acceptance of a third party to perform all audit functions 
associated with this content, (c) may accept such a model if 
information associated with the one or more meter methods that 
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record the number of bytes decrypted by users is securely 
packaged by distributor B's VDE secure subsystem and is 
securely, employing VDE communications techniques, sent to 
creator B in addition to distributor A, and/or (d) other mutually 
acceptable conditions. Control information produced by 
distributor A based on modifications performed by distributor A 
as permitted by Cg are referred to in this example as D^(Cg). 

User A may receive a set of control information D^CC^) 
from distributor A. As indicated above in connection with 
content received from creator A via a chain of handling including 
distributor A, user A may apply their own control information to 
the control information D^(Cg), to the extent permitted by 
D^(Cg), to produce a set of control information U^d^^CCg)). The 
set of control information D^CCg) may include one or more meter 
methods that record the number of b3rtes of content from creator 
B's container decrypted by user A (ia order to allow correct 
calculation of amounts owed by distributor A to creator B for user 
A's usage of creator B's content in accordance with the control 
information of Cg that requires payment of $0.50 per kUobjrte of 
decrypted information), and a farther meter method associated 
with recording usage such that distributor A may gather 
sufficient information to securely generate billings associated 
with user A's usage of creator B's content and based on a * rental*' 
model (e.g. distributor A may, for example, have included a meter 
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method that records each calendar month that user A makes use 
of creator B's content, and relates to further control information 
that charges user A $10 per month for each such month during 
which user A makes use of such content.) 

User/distributor A may receive control information 
directly from creator B. In this case, creator B may use VDE to 
negotiate with user/distributor A and deliver a set of control 
information Cg that may be the same or differ from that 
described above in connection with the distribution relationship 
established between creator B and distributor A. For example, 
user/distributor A may receive control information that 
includes a requirement that user/distributor A pay creator B for 
content decrypted by user/distributor A (and any participant 
receiving distributed and/or redistributed control information 
from user/distributor A) at the rate of $0.50 per kilobyte. As 
indicated above, user/distributor A also may receive control 
information associated with creator B's VDE content container 
from distributor A. In this example, user/distributor A may have 
a choice between paying a "rental" fee through a chain of 
handhng passing through distributor A, and a fee based on the 
quantity' of decryption through a chain of handling direct to 
creator B. In this case, user/distributor A may have the ability to 
choose to use either or both of and D^(Cg). As indicated 
earlier in connection with a chain of handling including creator A 
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and distributor A, user/distributor A may apply her own control 
information to the extent permitted by Cg and/or ^^(Cg) to form 
the sets of control information UD^(Cg) and UDACD^CCg)), 
respectively. 

As illustrated in Figure 81, in this example, user B may 
receive control information associated with creator B's VDE 
content container from six different sources: directly from 
creator B, D^(Cg) from distributor A, UD^OID^CD^CCg))) and/or 
UDgOJD^CCg)) from user/distributor B, D^(Cg) from distributor 
C, and/or Dg(D^(Cg)) from distributor B. This represents six 
chains of handling through which user B may enter into extended 
agreements with other participants in this example. Two of these 
chains pass through user/distributor B. Based on a VDE 
negotiation between user/distributor B and user B, an extended 
agreement may be reached (if permitted by control information 
governing both parties) that reflects the conditions xmder which 
user B may use one or both sets of control information. In this 
example, two chains of handling and control may "converge" at 
user/distributor B, and then pass to user B (and if control 
information permits, later diverge once again based on 
distribution and/or redistribution by user B). 

In this example, creator C produces one or more sets of 
control information associated with a VDE content container 
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created by creator C, as shown in Figure 82. Figure 82 further 
shows the VDE participants who may receive enabhng control 
information related to creator C's VDE content container. The 
content in such a container is, in this example, organized into a 
set of text articles. In this example control information may 
include one or more component assemblies that describe the 
articles within such a container (e.g. one or more event methods 
referencing map tables and/or algorithms that describe the extent 
of each article). may further include, for example: (a) a 
requirement that distributors ensxu-e that creator C receive $1 
per article accessed by users and/or user/distributors, which 
payment allows a user to access such an article for a period of no 
more than six months (e.g. using a map-type meter method that 
is aged once per month, time aged decryption keys, esq^iration 
dates associated with relevant permissions records, etc.), (b) 
control information that allows articles from creator C's container 
to be extracted and embedded into another container for a one 
time charge per extract/embed of $10, (c) prohibits 
extracted/embedded articles from being reextracted, (d) permits 
distributors to create enabling control information for up to 1000 
users or user/distributors per month, (e) requires that 
information regarding the number of users and user/distributors 
enabled by a distributor be reported to creator C at least once per 
week, (f) permits distributors to enable users or user/distributors 
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to perform up to one move of enabling control information, and 
(g) permits up to 2 levels of redistribution by user/distributors. 

In this example, distributor B may establish a distribution 
relationship with creator C. Distributor B in this example may 
have established a business model that favors the distribution of 
control information to users and user/distributors that bases 
payments to distributor B based on the number of accesses 
performed by such VDE participants. In this example, 
distributor B may create a modified set Dg{C^) of enabling 
control information for distribution to users and/or 
user/distributors. This set Dg(C^) may, for example, be based on 
a negotiation using VDE to establish a fee of $0.10 per access per 
user for xisers and/or user/distributors who receive control 
information fi-om distributor B. For example, if one or more 
map-type meter methods have been included in to ensure that 
adequate information may be gathered from users and/or 
user/distributors to ensiire correct pa3anents to creator C by 
distributor B based on C^, such methods may be preserved in the 
set Dg(C(.), and one or more further meter methods (and any 
other necessary control structures such as billing and/or budget 
methods) may be included to record each access such that the set 
Dg(C^) will also ensure that distributor B will receive payments 
based on each access. 
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The client adnunistrator in this example may receive a set 
of content control information 0^(0^) that differs, for example, 
from control information received by user B from distributor B. 
For example, the client administrator may use VDE to negotiate 
with distributor B to establish a set of control information for 
content from all creators for whom distributor B may provide 
enabling content control information to the cUent administrator. 
For example, the client administrator may receive a set of control 
information Dg(C^) that reflects the results of a VDE negotiation 
between the cHent administrator and distributor B. The cHent 
administrator may include a set of modifications to Dg(C^) and 
form a new set CA(Dg(C^)) that includes control information that 
may only be available to users and user/distributors within the 
same organization as the client administrator (e.g. coworkers, 
employees, consultants, etc.) In order to enforce such an 
arrangement, CA(Dg(C^)) may, for example, include control 
structures that examine name services information associated 
with a user or user/distributor during registration, establish a 
new budget method administered by the client administrator and 
required for use of the content, etc. 

A distributor may provide redistribution rights to a cUent 
administrator which allows said administrator to redistribute 
rights to create pennissions records for certain content 
(redistribute rights to use said content) only within the 
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administrator's organization and to no other parties. Similarly, 
such administrator may extend such a "limited" right to 
redistribute to department and/or other administrator within his 
organization such that they may redistribute such rights to use 
content based on one or more restricted lists of individuals and/or 
classes and/or other groupings of organization personnel as 
defined by said administrator. This VDE capability to limit 
redistribution to certain one or more parties and/or classes and/or 
other groupings of VDE users and/or installations can be applied 
to content by any VDE content provider, so long as such a control 
is allowed by senior control information. 

User D in this example may receive control information 
from either the client administrator and/or user/distributor C. 
User/distributor C may, for example, distribute control 
information UDQ(CA(Dg(C^))) to user D that includes a 
departmental budget method managed by user/distributor C to 
allow user/distributor C to maintain an additional level of control 
over the actions of user D. In this case, UDj^(CA(Dg(C^))) may 
include midtiple levels of organizational controls (e.g. controls 
originating with the chent administrator and further controls 
originating with user/distributor C) in addition to controls 
restdting from a commercial distribution channel. In addition or 
alternatively, the dient administrator may refuse to distribute 
certain classes of control information to user D even if the cUent 
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administrator has adequate control information (e.g. control 
information distributed to user/distributor C that allows 
redistribution to users such as \iser D) to help ensure that control 
information flows through the client administrator's organization 
in accordance with poUcies, procedures, and/or other 
administrative processes. 



In this example, user E may receive control information 
from the chent administrator and/or distributor B. For example, 
user E may have an account with distributor B even though some 
control information may be received from the chent 
administrator. In this case, user E may be permitted to request 
and receive control information from distributor B without 
restriction, or the chent administrator may have, as a matter of 
organizational pohcy, control information in place associated with 
user E's electronic appHance that limits the scope of user E's 
interaction with distributor B. In the latter case, the chent 
administrator may, for example, have limited user E to 
registering control information with the secure subsystem of user 
E's electronic appHance that is not available from the chent 
administrator, is from one or more certain classes of distributors 
and/or creators, and/or has a cost for usage, such as a certain 
price point (e.g. $50 per hour of usage). Alternatively or in 
addition, the chent administrator may, for example, hmit user £ 
to recei\Tng control information from distributor B in which user 
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E receives a more favorable price (or other control infonnatioxi 
criteria) than the price (or other criteria) available in control 
information from the client administrator. 



In this example, creator D may create a VDE content 
container that is designed primarily for integration with other 
content (e.g. through use of a VDE extracting/embedding 
process), for example, content provided by creator B and creator 
C. Figure 83 shows the VDE participants who may receive 
enabling control information related a VDE content container 
produced by creator D. Control information associated with 
creator D*s content (Cjj in Figure 83) may include, for example: 
(a) a requirement that distributors make payment of either $1.50 
per open per user, or $25 per user for an unlimited number of 
opens, (b) a discount of 20% for any user that has previously paid 
for an unlimited number of opens for certain other content 
created by creator D (e.g. implemented by including one or more 
billing methods that analyze a secure database of a user's VDE 
installation to determine if any of such certain other containers 
are registered, and further determines the character of rights 
held by a user purchasing rights to this container), (c) a 
requirement that distributors report the ntunber of users and 
user/distributors enabled by control information produced in 
accordance with Cjy after such number exceeds 1000, (d) a 
requirement that distributors limit the nimiber of moves by users 
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and/or tiser/distiibutors to no more than one, (e) a requirement 
that distributors limit user/distributors to no more than four 
levels of redistribution, and (f) that distributors may create 
enabling control information that permits other distributors to 
create control information as distributors, but may not pass this 
capability to such enabled distributors, and further requires that 
audit information associated with use of control information by 
such enabled distributors shall pass directly to creator D without 
processing by such enabling distributor and that creator D shall 
pay such an enabling distributor 10% of any payments received 
by creator D from such an enabled distributor. 

In this example, distributor C may receive VDE content 
containers from creator B, creator C, and creator D, and 
associated sets of control information C^, C^, and Cjj. 
Distributor C may use the embedding control information and 
other control information to produce a new container with two or 
more VDE objects received from creator B, creator C, and creator 
D. In addition or alternatively, distributor C may create enabling 
control information for distribution to users and/or 
user/distributors (or in the case of C^, for distributors) for such 
received containers individually. For example, distributor C may 
create a container including content portions (e.g. embedded 
containers) from creator B, creator C, and creator D in which 
each such portion has control information related to its access 
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and use that records, and allows an auditor to gather, sufficient 
information for each such creator to securely and reliably receive 
payments from distributor C based on usage activities related to 
users and/or user/distributors enabled by distributor C. 
Furthermore, distributor C may negotiate using VDE with some 
or all of such creators to enable a model in which distributor C 
provides overall control information for the entire container 
based on a "uniform" fee (e.g. calculated per month, per access, 
from a combined model, etc.) charged to users and/or 
user/distributors, while preserving the models of each such 
creator with respect to pajrments due to them by distributor C 
based on Cg, C^, and/or Cj^, and, for example, resulting from 
each of their differing models for the collection of content usage 
information and any related (e.g. advertising) information. 

In this example, distributor B may receive a VDE content 
container and associated content control information from 
creator E as shown in Figure 83. If permits, distributor B 
may extract a portion of the content in such a container. 
Distributor B may then, for example, embed this portion in a 
container received from distributor C that contains an 
aggregation of VDE objects created by creator B, creator C, and 
creator D. Depending on the particular restrictions and/or 
permissions in the sets of control information received from each 
creator and distributor C, distributor B may, for example, be able 
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to embed such an extracted portion into the container received 
from distributor C as an independent VDE object, or directly into 
content of "in place" objects from creator B, creator C, and/or 
creator D. Alternatively, or in addition, distributor B may, if 
permitted by Cg, choose to distribute such an extracted portion of 
content as an independent VDE object. 

User B may, in this example, receive a VDE content 
container from distributor C that is comprised of VDE objects 
created by creator B, creator C, and creator D. In addition, user 
B may receive a VDE content container from distributor B that 
contains the same content created by creator B, creator C, and 
creator D in addition to one or more extracted/embedded portions 
of content created by creator E. User B may base decisions 
concerning which of such containers they choose to use (including 
which embedded T^ontainers she may wish to use), and under 
which circumstances, based on, for example, the character of such 
extracted/embedded portions (e.g. multimedia presentations 
illustrating potential areas of interest in the remainder of the 
content, commentary explaining and/or expositing other elements 
of content, related works, improved apphcation software 
dehvered as an element of content, etc.); the quahty, utility, 
and/or price (or other attributes of control information) of such 
portions; and other considerations which distinguish the 
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containers and/or content control information received, in this 
example, from distributor B and distributor C. 

User B may receive content control information from 
distributor B for such a VDE content container that permits user 
B to add and/or modify content contained therein. User B may, 
for example, desire an ability to annotate content in such a 
container using a VDE aware word processor or other 
applLcation(s). If permitted by senior control information, some 
or aU of the content may be available to user B for modification 
and/or additions. In this case, user B is acting as a VDE creator 
for added and/or modified content. User B may, for example, 
provide new control information for such content, or may be 
required (or desire to) make use of existing control information 
(or control information included by senior members of a chaia of 
handling for this purpose) to manage such content (based on 
control information related to such a container and/or contained 
objects). 

In this example, VDE 100 has been used to enable an 
environment including, for example, content distribution, 
redistribution, aggregation (extracting and/or embedding), 
reaggregation, modification, and usage. The environment in this 
example allows competitive models in which both control 
information and content may be negotiated for and have different 
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particulars based on the chain of handling through which control 
information and/or content has been passed. Ftnihennore, the 
environment in this example permits content to be added to» 
and/or modified by, VDE participants receiving control 
information that enables such activities. 
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Example - Content Distribution Through a Content VDE Chain 
of Handling 

Figure 84 reflects certain aspects of a relatively simple 
model 3400 of VDE content distribution involving several 
categories of VDE participants. In this instance, and for 
simplicity of reference purposes, various portions of content are 
represented as discrete items in the form of VDE content 
container objects. One or more of such content portions may also 
be integrated together in a single object and may (as may the 
contents of any VDE content container object if allowed by 
content control information) be extracted in whole or part by a 
user. In this example, publishers of historical/educational 
multimedia content have created VDE content containers 
through the use of content objects available from three content 
resources: 

• a Video Library 3402 product available to Publishers on 
optical discs and containing video clip VDE objects 
representing various historical situations, 

• an Internet Repository 3404 which stores history 
information text and picture resources in VDE objects 
which are available for downloading to Publishers and 
other users, and 
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• an Audio Library 3406, also available on optical discs, and 
containing various pieces of musical performances and 
vocal performances (for example, historical narrations) 
which can be tised alone or to accompany other educational 
historical materials. 

The information provided in library 3402, repository 3404, and 
Hbrary 3406 may be provided to difiFerent publishers 3408(a), 
3408(b), 3408(n). Publishers 3408 may, in turn, provide some 
or all of the information they obtain to end users 3410. 

In this example, the Video Library 3402 control 
information allows publishers to extract objects from the Video 
Library product container and content control information 
enabling use of each extracted object during a calendar year if 
the object has a license cost of $50 or less, and is shorter than 45 
minutes in duration, and 20,000 copies of each of any other 
extracted objects, and further requires all video objects to be VDE 
fingerprinted upon decryption. The Audio Library 3404 has 
established similar controls that match its business model. The 
Internet Repository 3406 VDE containerizes, including encrypts, 
selected object content as it streams out of the Repository in 
response to an online, user request to download an object. The 
Repository 3406 may fingerprint the identification of the 
receiving VDE installation into its content prior to encryption 
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and communication to a publisher, and may further require user 
identification fingerprinting of their content when decrypted by 
said Publisher or other content user. 

The Publishers 3408 in this example have selected, vmder 
terms and conditions VDE negotiated (or otherwise agreed to) 
with the proAdding resources, various content pieces which they 
combine together to form their VDE object container products for 
their teacher customers. Publisher 3408(A) has combined video 
objects extracted firom the Video Library 3402 (as indicated by 
circles), text and image objects extracted firom the Internet 
Repository 3404 (indicated by diamonds), and one musical piece 
and one historical narration extracted firom the Audio Library 
3406 (as indicated by rectangles). Publisher 3408(B) has 
extracted a similar array of objects to be combined into his 
product, and has fiirther added graphical elements (indicated by 
a hexagon) created by Publisher 3408(B) to enhance the product. 
Pubhsher 3408(C) has also created a product by combining 
objects firom the Internet Repository 3404 and the Audio Library 
3406. In this example, all publisher products are dehvered, on 
their respective optical discs, in the form of VDE content 
container objects with embedded objects, to a modem high school 
for installation on the high school's computer network. 
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In this particular example, End-Users 3410 are teachers 
who use their VDE node's secure subsystems to access the VDE 
installation on their high school server that supports the 
pubhshers' products (in an alternative example, the high school 
may maintain only a server based VDE installation). These 
teachers license the VDE products from one or more of the 
publishers and extract desired objects from the VDE product 
content containers and either download the extracted VDE 
content in the form of VDE content containers for storage on 
their classroom computers and/or as appropriate and/or efficient. 
The teachers may store extracted content in the form of VDE 
content containers on server mass storage (and/or if desired and 
available to an end-user, and further according to acceptable 
pricing and/or other terms and conditions and/or senior content 
control information, they may store extracted information in 
"clear" unencrypted form on their nodes' and/or server storage 
means). This allows the teachers to play, and/or otherwise use, 
the selected portions of said pubUshers' products, and as shown 
in two instances in this example, add farther teacher and/or 
student created content to said objects. End-user 3410(2), for 
example, has selected a video piece 1 received from Publisher A, 
who received said object from the Video Library. End-user 
3410(3) has also received a video piece 3 from the same Publisher 
3408(A) wherein said piece was also available to her from 
Publisher 3408(B), but perhaps under not as favorable terms and 
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conditions (such as a support consultation telephone line). In 
addition, end-user 3410(3) has received an audio historical 
narration from Publisher 3408(B) which corresponds to the 
content of historical reference piece 7. End-user 3410(3) has also 
received a corresponding historical reference piece 7 (a book) 
from publisher 3408(2) who received said book from the Internet 
Repository 3404, In this instance, perhaps publisher 3408(2) 
charged less for said book because end-user 3410(3) has also 
licensed historical reference piece 7 from him, rather than 
publisher 3408(1), who also carried the same book. End-user 
3410(3), as a teacher, has selected the items she considers most 
appropriate for her classes and, through use of VDE, has been 
able to flexibly extract such items from resources available to her 
(in this instance, extracting objects from various optical products 
provided by publishers and available on the local high school 
network server). 
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Example Distribution of Content Control Information Within 
an Organization 

Figure 85 shows two VDE content containers, Container 
300(A) and Container 300(B), that have been distributed to a 
VDE Chent Administrator 3450 in a large organization. As 
shown in the figure, Container 300(A) and Container 300(B), as 
they arrive at the corporation, carry certain control information 
specifying available usage rights for the organization. As can be 
farther seen in Figure 85, the client administrator 3450 has 
distributed certain subsets of these rights to certain department 
administrators 3452 of her organization, such as Sales and 
Marketing Administrator 3452(1), Planning Administrator 
3452(2), and Research and Development Administrator 3452(k). 
In each instance, the CUent Administrator 3450 has decided 
which usage options and how much budget should be made 
available to each department. 

Figure 85 is a simplified example and, for example, the 
CUent Administrator 3450 could have added further VDE 
controls created by herself and/or modified and/or deleted in place 
controls (if allowed by senior content control information) and/or 
(if allowed by control information) she could have further divided 
the available monetary budget (or other budgets) among specific 
usage activities. In this example, departmental administrators 
have the same rights to determine the rights of departmental 
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end-users as the client administrator has in regard to 
departments. In addition, in this example (but not shown in 
Figure 85) the client administrator 3450 and/or content 
provider(s) may also determine certain control information which 
must directly control (including providing rights related to) end- 
user content usage and/or the consequences of said usage for all 
or certain classes of end-users. In the example shown in Figvire 
85, there are only three levels of VDE participants within the 
organization: 

a Ghent Administrator 3450, 

department administrators 3452, and 

end-users 3454. 
In other examples, VDE will support many levels of VDE 
administration (including overlapping groups) within an 
organization (e.g., division, department, project, network, group, 
end-users, etc). In addition, administrators in a VDE model may 
also themselves be VDE content users. 

Within an organization, VDE installations may be at each 
end-user 3454 node, only on servers or other multiple user 
computers or other electronic appUances, or there may be a mixed 
environment. Determination as to the mix of VDE server and/or 
node usage may be based on organization and/or content provider 
security, performance, cost overhead, or other considerations. 
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In this example, commuiucatioiis between VDE 
participants in Figure 85 employs VDE seoire communication 
techniques between VDE secure subsystems supporting PPEs 
and other VDE secure system components at each VDE 
installation within the organization. 
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Example - Another Content Distribution Example 

Creators of VDE protected content may interact with other 
VDE participants in many diflFerent ways. A VDE creator 102 
may, for example, distribute content and/or content control 
ioformation directly to users, distribute content and/or content 
control information to commercial content repositories, distribute 
content and/or content control information to corporate content 
repositories, and/or distribute content and/or content control 
information to other VDE participants. If a creator 102 does not 
interact directly with all users of her content, she may transmit 
distribution permissions to other VDE participants that permit 
such participants to further distribute content and/or content 
control information. She may also allow further distribution of 
VDE content and/or content control information by, for example, 
not restricting redistribution of control information, or allowing a 
VDE participant to act as a "conduit" for one or more permissions 
records that can be passed along to another party, wherein said 
permissions record provides for including the identification of the 
first receiving party and/or the second receiving party. 

Figure 86 shows one possible arrangement of VDE 
participants. In this example, creator 102 may employ one or 
more appHcation software programs and one or more VDE secure 
subsystems to place unencrypted content into VDE protected 
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form (i.e., into one or more VDE content containers). In addition, 
creator 102 may produce one or more distribution permissions 
3502 and/or usage permissions 3500 as an aspect of control 
information associated with such VDE protected content. Such 
distribution and/or usage permissions 3500, 3502 may be the 
same (e.g., all distribution permissions may have substantively 
all the same characteristics), or they may differ based on the 
category and/or class of participant for whom they are produced, 
the circumstances under which they are requested and/or 
transmitted, changing content control models of either creator 
102 or a recipient, etc. 

In this example, creator 102 transmits (e.g., over a 
network, via broadcast, and/or through transfer of physical 
media) VDE protected content to user 112a, user 112b, and/or 
user 112c. In addition, creator 102 transmits, using VDE secure 
commimications techniques, usage permissions to such users. 
User 112a, user 112b, and user 112c may use such VDE 
protected content within the restrictions of control information 
specified by usage permissions received from creator 102. In this 
case, creator 102 may, for example, msmage all aspects of such 
users activities related to VDE protected content transmitted to 
them by creator 102. Alternatively, creator 102 may, for 
example, include references to control information that must be 
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available to users that is not provided by creator 102 (e.g., 
component assemblies managed by another party). 

Commercial content repository 200g, in this example, may 
receive VDE protected (or otherwise secm-ely delivered) content 
and distribution, permissions and/or other content usage control 
information from creator 102. Commercial content repository 
200g may store content securely such that users may obtain such, 
when any required conditions are met, content from the 
repository 200g. The distribution permissions 3502 may, for 
example, permit commercial content repository 200g to create 
redistribution permissions and/or usage permissions 3500, 3502 
using a VDE protected subsystem within certain restrictions 
described in content control information received from creator 
102 (e.g., not to exceed a certain number of copies, requiring 
certain payments by commercial content repository 200g to 
creator 102, requiring recipients of such permissions to meet 
certain reporting requirements related to content usage 
information, etc.). Such content control information may be 
stored at the repository installation and be appUed to 
imencrypted content as it is transmitted from said repository m 
response to a user request, wherein said content is placed into a 
VDE container as a step in a secure process of communicating 
such content to a user. Redistribution permissions may, for 
example, permit a recipient of such permissions to create a 
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certain number of tisage permissions within certain restrictions 
(e.g., only to members of the same household, business other 
organization, etc.). Repository 200g may, for example, be 
required by control information received from creator 102 to 
gather and report content usage information from all VDE 
participants to whom the repository has distributed permissions. 

In this example, power user 112d may receive VDE 
protected content and redistribution permissions from 
commercial content repository 200g using the desktop computer 
3504. Power user 112d may, for example, then use application 
software in conjunction with a VDE secure subsystem of such 
desktop computer 3504 in order to produce usage permissions for 
the desktop computer 3504, laptop computer 3506 and/or settop 
appUance 3508 (assuming redistribution permissions received 
from commercial content repository 200g permit such activities). 
If permitted by senior control information (for example, from 
creator 102 as may be modified by the repository 200g), power 
user 112d may add her own restrictions to such usage 
permissions (e.g., restricting certain members of power user 
112d's household using the settop appliance to certain times of 
day, amounts of usage, etc. based on their user identification 
information). Power user 112d may then transmit such VDE 
protected content and usage permissions to the laptop computer 
3506 and the settop appliance 3508 using VDE secure 
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commtmications techniques. In this case, power user 112d has 
redistributed permissions from the desktop computer 3504 to the 
settop appUance 3508 and the laptop computer 3506, and 
periodically the settop appliance and the laptop computer may be 
required to report content usage information to the desktop 
computer, which in turn may aggregate, and/or otherwise 
process, and report user usage information to the repository 
200g. 

User 112e and/or user 112f may receive usage permissions 
and VDE protected content from commercial content repository 
200g. These users may be able to use such content in ways 
authorized by such usage information. In contrast to power user 
112d, these users may not have requested and/or received 
redistribution permissions from the repository 200g. In this case, 
these users may still be able to transfer some or aU usage rights 
to another electronic appliance 600, and/or they may be 
permitted to move some of their rights to another electronic 
appliance, if such transferring and/or moving is permitted by the 
usage permissions received from the repository 200g. In this 
case, such other appliances may be able to report usage 
information directly to the repository 200g. 

In this example, corporate content repository 702 within 
corporation 700 may receive VDE protected content and 
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distribution permissions from creator 102. The distribution 
permissions received by corporate repository 702 may, for 
example, include restrictions that limit repository 702 to 
distribution activities within corporation 700. 

The repository 702 may, for example, employ an automated 
system operating in conjunction with a VDE secure subsystem to 
receive and/or transmit VDE protected content, and/or 
redistribution and/or usage permissions. In this case, an 
automated system may, for example, rely on criteria defined by 
corporate policies, departmental poUcies, and/or user preferences 
to determine Uie character of permissions and/or content 
delivered to various parties (corporation groups and/or 
individuals) within corporation 700. Such a system may, for 
example, automatically produce redistribution permissions for a 
departmental content repository 704 in response to corporation 
700 receiving distribution permissions from creator 102, and/or 
produce usage permissions for user 112j and/or user 112k. 

The departmental repository 704 may automatically 
produce usage permissions for user 112g, user 112h, and/or user 
112i. Such users may access content from the corporate content 
repository 702, yet receive usage permissions from departmental 
repository 704. In this case, user 112g, user 112h, and/or user 
112i may receive usage permissions from departmental 
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repository 704 that incorporate departmental restrictions in 
addition to restrictions imposed by senior control information (in 
this example, from creator 102, as may be modified by corporate 
repository 702, as may be further modified by departmental 
repository 704, that reflect a VDE extended agreement 
incorporating commercial requirements of creator 102 and 
corporation 700 in addition to corporate and/or departmental 
policies and agreements with corporate persoimel of corporation 
700). 

Example— "Virtual Silicon Container* 

As discussed above, VDE in one example provides a 
"virtual silicon container" ("virtual black box") in that several 
different instances of SPU 500 may securely communicate 
together to provide an overall secure hardware environment that 
"virtually " exists at multiple locations and multiple electronic 
appliances 600. Figure 87 shows one model 3600 of a virtual 
sihcon container. This virtual container model 3600 includes a 
content creator 102, a content distributor 106, one or more 
content redistributors 106a, one or more cKent administrators 
700, one or more chent users 3602, and one or more 
clearinghouses 116. Each of these various VDE participants has 
an electronic appUance 600 includiag a protected processing 
environment 655 that may comprise, at least in part, a silicon- 
based semiconductor hardware element secxu-e processing unit 
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500. The various SPUs 500 each encapsvilate a part of the virtual 
distribution enviromnent, and thus, together form the virtual 
silicon container 3600. 

Example ~ Testing/Ezamuiations 

A scheduled SAT examination for high school seniors is 
prepared by the Educational Testing Service. The examination is 
placed in a VDE container for schedtiled release on November 15, 
1994 at 1:00 PM Eastern Standard time. The SAT prepares one 
copy of the container for each school or other location which will 
conduct the examination. The school or other location ("test site") 
will be provided with a distributed examination container 
securely containing the VDE identification for the 
"administration" electronic appliance and/or test administrator at 
the test site (such as, a testing organization) and a budget 
enabling, for example, the creation of 200 test VDE content 
containers. Each container created at the test site may have a 
permissions record containing secure identification information 
for each electronic appUance 600, on the test site's network, that 
will be used by a test taker, as weU as, for example, an 
identification for the student who wiU take the test. The student 
identification could, for example, be in the form of a secure PIN 
password which is entered by the student prior to taking the test 
(a test monitor or administrator might verify the student 
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identification by entering in a PIN password). Of course, 
identification might take the firm of automated voice recognition, 
handwriting recognition (signature recognition), fingerprint 
information, eye recognition, or similar one or more recognition 
forms which may be used either to confirm the identity of the test 
taker (and/or test monitor/administrator) and/or may be stored 
with the test results in a VDE container or the like or in a 
location pointed to by certain container information. This 
identification may be stored in encrypted or unenciypted form. If 
stored in encrypted or otherwise protected form, certain 
stmunary iMormation, such as error correction information, may 
be stored with the identification information to authenticate the 
associated test as corresponding to the identification. 

As the student takes the test using the computer terminal, 
the answers selected may be immediately securely stored (but 
may be changed by the student during the test session). Upon 
the completion of the test, the student's answers, along with a 
reference to the test, are securely stored in a VDE reporting 
object which is passed along to the network to the test 
administrator and the administration electronic apphance 600. 
All test objects for all students could then be placed in a VDE 
object 300 for communication to the Educational Testing Service, 
along with whatever other relevant information (which may also 
be secured by VDE 100), including stmunary information giving 
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average and mean scores, and other information that might be 
desirable to summarize and/or act as an authentication of the 
test objects sent. For example, certain information might be sent 
separately from each student simmiary object containing 
information which helps validate the object as an "authentic" test 
object. 

Applying VDE to testing scenarios would largely eliminate 
cheating resulting from access to tests prior to testing (normally 
the tests are stolen from a teacher or test administrator). At 
ETS, individuals who have access to tests could be limited to only 
a portion of the test to eliminate the risk of the theft of a "whole" 
test. Emplojring VDE would also ensure against processing 
errors or other manipulation of test answers, since absolutely 
authentic test results can be archived for a reasonable period of 
time. 

Overall, employing VDE 100 for electronic testing will 
enable the benefits of electronic testing to be provided without 
the substantial risks associated with electronic storing, 
communicating, and processing of test materials and testing 
results. Electronic testing will provide enormous efficiency 
improvements, significantly lowering the cost of conducting and 
processing tests by eliminating printing, shipping, handling, and 
human processing of tests. At the same time, electronic testing 
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will allow users to receive a copy (encrypted or unencrjrpted) of 
their test results when they leave the test sessions. This will 
help protect the tested individual eigaiost lost of, or improperly 
processed, test results. Electronic testing employiag VDE 100 
may also ensure that timing related variables of testing (for 
example precise starting, duration, and stopping times) can be 
rehably managed. And, of coxirse, proper use of VDE 100 for the 
testing process can prevent improper access to test contents prior 
to testing and ensure that test taking is properly audited and 
authenticated, that is which person took which test, at which 
time, on which electronic appliance, at which location. Retesting 
due to lost, stolen, improperly timed, or other variables can be 
avoided or eliminated. 

VDE assisted testing may, of course, be employed for many 
different apphcations including secure identification of 
individuals for security/authentication purposes, for emplojonent 
(e.g. applying for jobs) appHcations, and for a fuD range of 
evaluation testing. For example, an airline pilot, or a truck, 
train, or bus driver might take a test immediately prior to 
departure or during travel, with the test evaluating alertness to 
test for fatigue, drug use, etc. A certain test may have a different 
order and/or combination of test activities each time, or each 
group of times, the test is taken. The test or a master test might 
be stored in a VDE container (the order of, and which, test 
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questions might be determined by a process executed securely 
within an PPE 650). The test responses may be encrypted as 
they occur and either locally stored for aggregated (or other test 
result) transmission or dynamically transmitted (for example, to 
a central test administration computer). If the test taker "fltmks" 
the test, perhaps he or she is then prevented from operating the 
vehicle, either by a local PPE 650 issuing control instructions to 
that effect on some portion of the vehicle's electronic control 
system or a local PPE failing to decrypt or otherwise provide 
certain key information required for vehicle operation. 

Example - Appliance Rental 

Through use of the present invention, electronic appUances 
can be "leased" or otherwise provided to customers who, rather 
than purchasing a given appliance for unlimited usage, may 
acquire the apphance (such as a VCR, television, microwave 
oven, etc.) and be charged according to one or more aspects of 
use. For example, the charge for a microwave might be for each 
time it is used to prepare an item and/or for the duration of time 
used. A telephone jack could be attached, either consistently or 
periodically, to an inexpensive modem operatively attached or 
within the microwave (the modem might alternatively be located 
at a location which services a pluraUty of items and/or functions 
such as burglar alarm, light and/or heat control). Alternatively, 
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such appliances may make use of a network formed by the power 
cables in a building to transmit and receive signals. 

At a periodic interval, usage information (in summary form 
and/or detailed) could be automatically sent to a remote 
information utility that collects information on appliance usage 
(the utihty might service a certain brand, a certain type of 
appliance, and/or a collection of brands and/or types). The usage 
information would be sent in VDE form (e.g. as a VDE object 
300). The information utility might then distribute information 
to financial clearinghouse(s) if it did not itself perform the biUing 
function, or the information "belonging" to each apphance 
manufacturer and/or lessor (retailer) might be sent to them or to 
their agents. In this way a new industry would be enabled of 
leased usage of appliances where the leases might be analogous 
to car leasing. 

With VDE installed, appliances could also be managed by 
secure identification (PIN, voice or signature recognition, etc.). 
This might be required each time a unit is used, or on some 
periodic basis. Failure to use the secure identification or use it on 
a timely basis could disable an appliance if a PPE 650 issued one 
or more instructions (or failed to decrypt or otherwise provide 
certain information critical to apphance operation) that 
prevented use of a portion or all of the appliance's functions. 
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This feature would greatly reduce the desirability of stealing an 
electronic appliance. A farther, allied use of VDE is the 
"registration" of a VDE secure subsystem in a given appliance 
with a VDE secure subsystem at some control location in a home 
or business. This control location might also be responsible for 
VDE remote commtmications and/or centralized administration 
(iacludiag, for example, restricting yotur children from viewing R 
rated movies either on television or videocassettes through the 
recognition of data indicating that a given movie, song, channel, 
game, etc. was R rated and allowing a parent to restrict viewing 
or listening). Such a control location may, for example, also 
gather information on consxmiption of water, gas, electricity, 
telephone usage, etc. (either through use of PPEs 650 integrated 
in control means for measuring and/or controlling such 
consumption, or through one or more signals generated by 
non-VDE systems and delivered to a VDE secure subsystem, for 
example, for processing, usage control (e.g. usage limiting), 
and/or billing), transmit such information to one or more utilities, 
pay for such consumption using VDE sectired electronic currency 
and/or credit, etc. 

In addition, one or more budgets for usage could be 
managed by VDE which would prevent improper, excessive use of 
a certain, leased apphance, that might, for example lead to 
failure of the appliance, such as making far more copies using a 
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photocopier than specified by the duty cycle. Such improper use 
could result in a message, for example on a display panel or 
television screen, or in the form of a communication from a 
central clearinghouse, that the user should upgrade to a more 
robust modeL 

While the invention has been described in coimection with 
what is presently considered to be the most practical and 
preferred embodiment, it is to be understood that the invention is 
not to be limited to the disclosed embodiment, but on the 
contrary, is intended to cover various modifications and 
equivalent arrangements included within the spirit and scope of 
the appended claims. 
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WE C^AIM? 

1. A method for secure content delivery including: 

a) encapsulating digital information within one or more 
digital containers; 

b) encrypting at least one portion of said digital 
information; 

c) associating at least partially secure control 
information for managing interaction with said 
encrypted digital information and/or the digital 
container; 

d) delivering one or more of said one or more digital 
containers to a digital information user; 

e) emplojring a protected processing environment for 
securely controlling decryption of at least a portion of 
said digital information. 

2. A system for secure content delivery including: 

encrj^ting means for encrypting at least one portion of 
digital information; 

container processing means for encapsulating digital 
information wiUiin one or more digital containers and for 
associating at least partially secure control information for 
managing interaction with said enciypted digital information; 
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delivery means for deUvering one or more of said one or 
more digital containers to a digital infonnation user; and 

at least one protected processing environment for securely 
controlling decryption of at least a portion of said digital 
information. 

3. A method for secure digital information delivery 
characterized by the steps of: (a) encrypting at least a portion of 
said digital information through the use of a first at least one 
VDE node, (b) creating and encrjrpting, through the use of said 
first at least one VDE node, control information to control use of 
at least a portion of said digital information by plural, users, (c) 
securely providiag said control information to said plural users, 
and (d) employing at least one VDE node different firom said first 
at least one VDE node to process at least portions of said control 
information and to control use of said encrjrpted digital 
information by said users. 

4. A system for secure digital information delivery 
characterized by: 

a first at least one VDE node for encrypting at least a 
portion of said digital information, 

means for creating and encrypting, through the use of said 
first at least one VDE node, control information to control use of 
at least a portion of said digital information by plural, users, 
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means for securely providing said control information to 
said plural users, and 

at least one VDE node dififerent from said first at least one 
VDE node for processing at least portions of said control 
information and to control use of said encrypted digital 
information by said users. 

5. A method for secm-e content delivery wherein at least 
partially encrypted content is encapsulated within at least one 
digital container and the digital container is deHvered to a digital 
information user, the method characterized by the steps of: 

associating, with the encapstdated content and/or the 
digitsd contaiaer, at least partially secure control information for 
managing interaction with the container and/or the content; and 

employing a protected processing environment for 
securely controlling decryption of at least a portion of the 
encrypted content based at least in part on the control 
information. 

6. A system for secure content deUvery wherein at least 
partially encrypted content is encapsulated within at least one 
digital container and the digital container is delivered to a digital 
information user, the system characterized by: 

a data structure that associates, with the encapsulated 
content and/or the digital container, at least partially secure 
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control infonnation for managing interaction with the 
information; and 

a protected processing environment for securely 
controlling decryption of at least a portion of the encrypted 
content based at least in part on the control infonnation. 

7» A method for secure digital information delivery 
characterized by the steps of: (a) encrypting at least a portion of 
said digital information, (b) associating protected control 
infonnation to at least a portion of said digital information, and c) 
providing at least a portion of said encrypted digital information 
to a first user and at least in part controlling use of at least a 
portion of said encrypted digital information through the use of 
at least a portion of said protected control information, wherein 
said first user further provides at least one of (a) a copy of said at 
least a portion of said encrypted digital information , or (b) said 
encrypted digital information, to a second xiser, and wherein said 
second user associates further control information with said 
encrypted digital information for use in controlling use of said 
encrypted digital information by a third user. 

8. A system for secure digital information delivery 
characterized by: 

means for enciypting at least a portion of said digital 
information, 
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means for associatmg protected control information to at 
least a portion of said digital information, 

means for providing at least a portion of said encrypted 
digital information to a first user 

means for at least in part controlling use of at least a 
portion of said enci^rpted digital information through the use of 
at least a portion of said protected control information, 

means for allowing the first user to provide at least one of 
(a) a copy of said at least a portion of said encrypted digital 
information, or (b) said encrypted digital information, to a second 
user, and 

means for allowing said second user to associate further 
control information with said encrypted digital information for 
use in controlling use of said encrypted digital information by a 
third \iser. 



9. A method for secure digital transaction management 
iacluding: 

a) encrypting digital information at a first location; 

b) enabling a first party to securely associate at least 
one control with said information for use in ensuring 
at least one consequence of use of said information; 

c) enabling one or more additional parties to securely 
associate at least one further control with said 
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information for use in ensxiring at least one 

consequence of use of said information; 
d) distributing at least a portion of said information to 

a party other than the first and additional parties at 

a location different from the locations of the first and 

additional locations; and 
f) decrypting at least a portion of said information at 

said third location, and enstiring said consequences 

of use of said information. 

10. A system for secure digital transaction management 
including interconnected structures for performing the following 
functions: 

a) encrypting digital information; 

b) enabling a first party to securely associate at least 
one control with said information for use in ensuring 
at least one consequence of use of said information; 

c) enabling one or more additional parties to securely 
associate at least one fiirther control with said 
information for use in ensuring at least one 
additional consequence of use of said information; 

d) distributing at least a portion of said information to 
a fiirther party; and 

e) decrypting at least a portion of said information; and 

f) securely ensuring said consequences. 
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11. A system for secure digital transaction management 
wherein digital information is encrypted by a first party at a first 
location and distributed, characterized by: 

a first protected processing environment for enabling the 
first party to securely associate at least a first control with said 
information, 

a fiiriher protected processing environment for enabling 
the fiirther party to securely associate at least a fiirther control 
with said information, and 

a still further protected processing environment for 
decrypting at least a portion of said information while controlling 
at least one consequence of use of the information based at least 
in part on the first and further controls. 

12. A method for secure digital transaction management 
wherein digital information is encrypted by a first party at a first 
location and distributed, characterized by the following steps: 

enabling the first party to securely associate at least a 
first control with said information, 

enabling a further party to securely associate at least a 
further control with said information, and 

transmitting the first and fiirther controls; and 

decrypting at least a portion of said information while 
controlling at least one consequence at least in part on the 
transmitted controls. 
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13. A method for secvirely automating distributed 
electronic processes including: 

a) providing secure, interoperable, general purpose 
rights management processing means to miiltiple, 
parties; 

b) establishing secure process management controls for 
automatically, at least partially remotely, and 
securely supporting requirements related to 
electronic events; 

c) securely distributing process management controls 
to party sites; 

d) securely maintaining at least a portion of said 
process management controls under the control of 
party processing means at said party sites; 

e) automaticaDy managing electronic processes at said 
party sites to enforce interests related to said 
electronic content. 

14. A system for securely automating distributed 
electronic processes including: 

interoperable rights management processing means 
disposed at multiple parties' sites; 

control establishing means for establishing secure process 
management controls; for remotely, automatically, and securely 
supporting requirements related to electronic events; and for 
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securely distributiiig process maaagement controls to party 
sites; 

security means for securely maintaining at least a portion 
of said process management controls imder the control of 
processing means at said party sites; and 

managing means for automatically managing electronic 
processes at plural party sites to enforce interests related to said 
electronic events. 

15. A method for automating distributed electronic 
processes using interoperable processors at multiple sites, 
characterized by the following steps: 

securely distributing, to the processors, process 
management controls for automatically, and securely supporting 
requirements related to electronic events; 

securely maintaining at least a portion of said process 
management controls under the control of the processors; and 

automatically managing, in a distributed manner with 
the processors, electronic processes at the mtiltiple sites to 
enforce interests related to electronic events. 

16. A system for automating distributed electronic 
processes using interoperable processors at multiple sites, 
characterized by the following: 
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distiibutmg means connected to the processors for 
securely distributing, to the processors, process management 
controls for remotely, automatically, and securely supporting 
requirements related to electronic events; 

process control means for securely maintaining at least a 
portion of said process management controls imder the control of 
the processors; and 

management means for automatically managing, in a 
distributed manner with the processors, electronic processes at 
the mtdtiple sites to enforce the interests related to the electronic 
events. 

17. A method of securely enforcing a rights seniority 
system characterized by the steps of: 

aUowing a first user to create at least one control over 
electronic content; and 

allowing a second user to contribute at least one further 
control over electronic content and/or alter the control in place, 
the second control being subject to the first control. 

18. A system for securely enforcing a rights seniority 
system characterized by: 

a first secure environment for allowing a first user to 
contribute at least one control over electronic content; and 
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a second secure enviromnent for allowmg a second user to 
contribute at least one further control over electronic content 
and/or alter the control in place, the second control being subject 
to the first control. 

19. A method of securely enforcing a rights seniority 
system characterized by liie step of allowing a first user to create 
at least one electronic control that at least in part dictates the 
rights a second user has to create fiirther electronic controls over 
the use of and/or access to electronic content. 

20. A system for securely enforcing a rights seniority 
system characterized by at least one means for allowing a first 
user to create at least one electronic control that at least in part 
dictates the rights a second user has to create further electronic 
controls over the use of and/or access to electronic content. 

21. A method for employing protected processing 
environments including: 

a) distributing interoperable protected processing 
environments to plural parties; 

b) providing a first interoperable protected processing 
environment for use by a first party to enable said 
party to (a) encrypt digital information, and (b) 
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create control information for managing at least one 
aspect of use of said digital information; 

c) encrypting said digital information in response to 
one or more instructions from said first party; 

d) making said digital information available to a second 
party; 

e) through the use of a second iateroperable protected 
processing environment, satisfying requirements 
enforced by said control information and allowing 
said second party to use at least a portion of said 
digital information; 

f) through the use of said second interoperable 
protected processing environment securely reporting 
information reflecting at least one aspect of said 
second party use of said digital information. 

22. A system for employing protected processing 
environments including: 

interoperable protected processing environments 
distributed to pltiral parties, including a first iateroperable 
protected processing environment for use by a first party to 
enable said party to (a) encrypt digital information, and (b) create 
control information for managing at least one aspect of use of 
said digital information, and further including a second 
interoperable protected processing enviroimient; 
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means for encrypting said digital information in response 
to one or more instructions from said first party, and for making 
said digital information available to a second party; 

means for a second interoperable protected processing 
environment to satisfy requirements enforced by said control 
information and to allow said second party to use at least a 
portion of said digital information; and to securely report 
information reflectrag at least one aspect of said second part/s 
use of said digital information. 

23. A method for employing protected processing 
environments distributed to plural parties characterized by the 
following steps: 

using a first protected processing environment to encrypt 
digital information, and control information specifying 
requirements for managing at least one aspect of use of said 
digital information; 

using a second protected processing enviroxunent 
interoperable with the first protected processing environment to 
enforce the requirement specified by said control information and 
conditionally allowing use of at least a portion of said digital 
information; and 

using the second protected processing environment to 
report information reflecting at least one aspect of use of said 
digital information. 
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24. A system for employing protected processing 
environments distributed to plural parties characterized by: 

a first protected processing environment to encrypt digital 
information, and for handling control information specifying 
requirements for managing at least one aspect of use of said 
digital information; 

a second protected processing environment interoperable 
with the first protected processing environment for enforcing at 
least one requirement specified by said control information and 
conditionally allowing use of at least a portion of said digital 
information; and for reporting infonnation reflecting at least one 
aspect of use of said digital information. 

25. A secure network architecture comprising multiple 
cooperating interconnected nodes having protected processing 
environments, at least a portion of said nodes being able to 
intercommunicate, characterized in that VDE-protected 
information can be moved firom a source node to a destination 
node and processed at least in part by the destination node. 

26. In a secure network architecture comprising multiple 
cooperating iaterconnected nodes having protected processing 
environments, the nodes beiag able to intercommunicate, a 
method comprising the step of moving VDE-protected 



934 



wo 96/27155 



PCT/US96y02303 



mformation from a source node to a destination node and 
processed at least in part by the destination node. 

27. A secure local area network topology comprising 
multiple cooperating interconnected nodes, characterized in that 
at least some of the nodes comprise network workstations with 
software defining protected processing environments, and at 
least one of the nodes comprises a secure database server that 
provides information in protected form for processing by the 
network workstation protected processing environments. 

28. In a secure local area network topology comprising 
multiple cooperating interconnected nodes, a method 
characterized by the steps of: 

executing, at least in part with network workstations, 
software defining protected processing environments, and 

providing, with a secure database server, information for 
processing by the network workstation protected processing 
environments. 

29. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that at least one of the pliiral 
nodes provides a protected processing environment that performs 
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a server function for a client comprising at least a portion of the 
protected processing environment of at least one other node. 

30. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by providing, with at least 
one of the plural nodes, a protected processing environment; and 
performing, with the protected processing environment, a server 
function for a client comprising at least a portion of the protected 
processing enviroimient of at least one other node. 

31. A method for securely managing electronic 
negotiations related to electronic commerce value chain activities 
including: 

a) employing a protected processing environment by a 
first party to securely specify rules and/or controls 
for managing an electronic commerce process; 

b) securely making said specified rules and/or controls 
available to a second party; 

c) employing a protected processing environment 
different firom said first protected processing 
environment to further securely specify rules and/or 
controls for managing at least one commerce process 
related to the common commercial interests of said 
first party and said second party; 
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d) employing said protected processing environment to 
securely electronically negotiate at least one 
aggregate rules and/or controls set representing the 
electronic interests of botii said first party and said 
second party; 

e) employing a protected processing environment to 
manage said electronic commerce process consistent 
with at least a portion of said aggregate rules and/or 
controls set. 

32. A system for securely managing electronic negotiations 
related to electronic commerce value chain activities including: 

a first party^s protected processing environment for 
securely specifying rules and/or controls for managing an 
electronic corrmierce process, and for securely making said 
specified rules and/or controls available to a second party; 

a second party's protected processing environment 
different firom said first partjr's protected processing environment 
to further securely specify rules and/or controls including means 
for managing at least one commerce process related to the 
common commercial interests of said first party and said second 
party; 

at least one of the first partes and the second party's 
protected processing environment for securely electronically 
negotiating at least one aggregate rules and/or controls set 
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representing the electronic interests of both said first party and 
said second party; and 

at least one of the first part/s and the second party's 
protected processing environment including means for managing 
said electronic commerce process consistent with said at least a 
portion of said aggregate rules and/or controls set. 

33. A method for securely managing electronic 
negotiations related to electronic commerce value chain activities 
through use of first and second protected processing environment 
characterized by: 

usiag the first environment, securely specifyiog rules 
and/or controls for managing an electronic commerce process; 

using the second environment, fiirther securely specifying 
rules and/or controls for managing at least one commerce process 
related to the conmiercial interests of a Grst and a second party; 

employing at least one of the first and second protected 
processing environments to securely electronically negotiate at 
least one aggregate rules and/or controls set representing the 
electronic interests of the first party and said second party; and 

employing at least one of the first and second protected 
processing environment to manage said electronic commerce 
process consistent with at least a portion of said aggregate rules 
and controls set. 
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34, A system for securely maBaging electronic negotiations 
related to electronic commerce value chain activities through use 
of first and second protected processing environment 
characterized by: 

the jBrst environment including means for securely 
specifying rules for managing an electronic commerce process; 

the second environment including means for further 
securely specify rules for managiQg at least one commerce 
process related to the commercial interests of first and second 
parties; 

at least one of the first and second protected processing 
enviroxunents including means for securely electronically 
negotiating at least one aggregate rules set at least partially 
representing the electronic interests of said first party and said 
second party; and 

at least one of the first and second protected processing 
environment including means for managing said electronic 
commerce process consistent with said at least a portion of said 
aggregate rules set. 

35. A method for managing a distributed electronic 
i commerce environment including: 

a) establishing a secure^ certificate authority for 
authenticating a user identity for an electronic 
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commerce participant wherein said identity includes 
one or more user class parameters; 

b) certiiying said user identity through the use of one 
or more certificates enabled by said certificate 
authority; 

c) controlling the use of distributed electronic 
information based at least in part on class parameter 
information included in such certified identity. 

36. A system for securely managing a distributed 
electronic commerce environment including: 

means for establishing a user identify for an electronic 
commerce participant wherein said identity includes one or more 
user class parameters; 

a certificate authority for authenticating such user 
identity by certifying said user identity through the use of one or 
more certificates enabled by said certificate authority; and 

means for controlling the use of distributed electronic 
information based at least in part on class parameter information 
included in such certified identity. 

37. A method for securely managing a distributed 
electronic commerce environment to allow interaction with an 
electronic commerce participant having a user identity that is 
certified by a certificate authority, characterized by: 
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establishing a user identity; 

certifying the user identity and the user class parameter; 

and 

associating, with the user identity, at least one user class 
parameter, wherein said certified class parameter, at least in 
part, is used to control use of distributed electronic information. 

38. A system for managing a distributed electronic 
commerce environment to allow interaction with an electronic 
commerce participant having a certified user identity, 
characterized by: 

means for associating at least one user class parameter 
with an established user identity; 

means for ascertaining the authenticity of the user identity 
and/or the user class parameter; and 

means for controlling use of distributed electronic 
information based at least in part on said status. 

39. A system as in claim 38 wherein the class parameter 
represents the user^s age, and the controlling means includes 
means for controlling the use of distributed electronic 
information based on the user's age. 

40. A method of securely establishing user identity 
through use of certificates, the method characterized by: 
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presenting an electronic token reflecting at least one user 
class characteristic; 

determining whether an electronic certificate authenticates 
the user class characteristic reflected by the token; and 

using the token as a basis for granting rights. 

41. A system for identifying a user through use of 
certificates, the system characterized by: 

means presenting an electronic token reflecting at least 
one user class characteristic; 

means for obtaining an electronic certificate; 

means for determining whether the electronic certificate 
authenticates the user class characteristic reflected by the token; 
and 

means for using the certified, authenticated token as a 
basis for granting rights. 

42. A system for securely managing a distributed 
electronic commerce environment including: 

means for identifying an electronic commerce participant 

by specifying at least one user category; 

means for authenticating such user identity; and 
means for controlling the use of distributed electronic 

information based at least in part on the user category. 
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43. A method for securely maBaging a distributed 
electroBic commerce environment to allow interaction with an 
electronic commerce participant, characterized by: 

establishing a user identity and an associated user class 
parameter; and 

using the class parameter to, at least in part, control use of 
distributed electronic information. 

44. A system for managing a distributed electronic 
commerce environment to allow interaction with an electronic 
commerce participant, characterized by: 

means for associating at least one user class parameter 
with a user identity; 

means for authenticating the user identity and/or the user 
class parameter; and 

means for controlling use of distributed electronic 
information based at least in part on said status. 

45. A system as in claim 44 wherein the class parameter 
represents the user's age, and the controlling means includes 
means for controlling the use of distributed electronic 
information based on the user's age. 

46. A method of securely establishing user identity, the 
method characterized by: 
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presenting an electronic token reflecting at least one user 
class characteristic; 

determining the user class characteristic reflected by the 
token is authentic; and 

using the token as at least a partial basis for granting 
rights. 

47. A system for securely establishing user identity 
characterized by: 

means presenting an electronic token reflecting at least 
one user class characteristic; 

authenticating the user class characteristic reflected by the 
token; and 

means for using the authenticated token as a basis for 
granting rights. 

48. A method of authenticating a user identity, the method 
characterized by: 

receiving a certificate request and associated user identity; 

and 

issuing an electronic ceitificate for use in authenticating at 
least one user class characteristic associated with the user 
identity for granting rights based on the user class characteristic. 
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49. A system for authenticating user identity, 
characterized by; 

means for receiving a certificate request and associated 
user identify; and 

means for issuing an electronic certificate for use in 
authenticating at least one user class characteristic associated 
with the user identity for granting rights based on the user class 
characteristic. 



50. A method of securely establishing user identity, the 
method characterized by: 

receiving a certificate request; and 

issuing an electronic certificate specif3dng at least one user 
class characteristic. 

51. A system for securely establishing user identity 
through use of certificates, characterized by: 

means for receiving a certificate request and associated 
user identity; and 

means for issuing an electronic certificate specifying at 
least one user class characteristic. 
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52. A method or system of managing rights characterized 
in that a cryptographically signed token is used to certify 
membership in a class, the token is authenticated, and the class 
membership represented by the token is used as a basis for 
granting and/or withholding rights and/or permissions. 

53. A method or system of managing rights characterized 
in that a cryptographically signed token is used to certify 
membership in a class, the status of such token is ascertained, 
and the class membership represented by the token is used as a 
basis for allowing a user presenting the token to create electronic 
rules. 

54. A method or system of managing rights characterized 
in that a cryptographically signed token is used to certify 
membership in a class, the token is vaUdated, and the class 
membership represented by the token is used as a basis for 
allowing a user presenting the token to exercise rights imder 
electronic rules. 

55. A method for enabling a distributed electronic 
commerce electronic agreement system including: 

a) enabling distributed, interoperable secure cUent 
protected processing environment nodes; 
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b) establishing at least one system wide secure 
communications key; 

c) employing public key enciyption for communications 
between plural client nodes; 

d) supporting the delivery of electronic control 
information by individual clients wherein said 
control information at least in part specifies their 
respective electronic commerce agreement rights; 

e) supporting at least one protected processing 
environment for determining the respective and/or 
collective rights of said clients by establishing one or 
more electronic agreements based at least in part on 
said secure dehvery of electronic control information; 

f) employing a secure software container data control 
structure for enstiring persistent maintenance of the 
electronic rights of the cUents; 

g) using secure software containers which provide for 
data structures that support rules and/or controls 
corresponding to electronic commerce model 
agreement enforcement. 

56. A distributed electronic agreement system including: 
plural distributed, interoperable secvire client protected 
processing environment nodes for supporting delivery of 
electronic control information by individual clients wherein said 
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control infonnatioii at least in part specifies said client's 
respective electronic commerce model agreement rights, and for 
employing public key encryption and authentication for 
communications between said plural client nodes; 

means coupled to said nodes for establishing at least one 
system wide secure communications key; and 

at least one protected processing environment for: 
(a) determining the respective and/or collective rights of 
electronic conunerce model clients by establishing 
one or more electronic agreements based at least in 
part on said secure delivery of electronic control 
information; 

(b) employing a secure software container data control 
structure for enstiring persistent maintenance of the 
electronic rights of commerce model cUents; and 

(c) using secure software containers which provide for 
data structures that support controls corresponding 
to electronic commerce model agreement 
enforcement. 

57. A method for enabling a distributed electronic 
commerce electronic agreement system including distributed, 
interoperable secure cUent protected processing environment 
nodes employing at least one system wide secure commimications 
key, employing pubUc key encryption and authentication for 
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commiuucations between plural client nodes, and employing an 
certification authority for establishing client identity, the method 
characterized by: 

supporting the , secure dehvery of electronic commerce 
model agreement rights control information; 

determining the respective and/or collective rights of 
electronic commerce model clients by establishing one or more 
electronic agreements based at least in part on said secure 
deUvery of the electronic control information; 

employing a secure soffc\yare contaLner data control 
structure for ensuring remote, persistent maintenance of the 
electronic rights of commerce model clients; and 

using secure software containers which provide for data 
structures supporting rales and controls corresponding to 
electronic commerce model agreement enforcement. 

58. A distributed electronic commerce electronic 
agreement system including: 

distributed, interoperable secure client protected 
processing environment nodes employing at least one system 
wide secure communications key, employing pubUc key 
encryption and authentication for communications between 
plural dient nodes, employing an certification authority for 
establishing cUent identity, and supporting the, secure dehvery of 
electronic commerce model agreement rights control information; 
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means disposed in at least one node for determining the 
respective and/or collective rights of electronic commerce model 
clients by establishing one or more electronic agreements based 
at least in part on said secm'e delivery of the electronic control 
information; and 

means disposed in at least one node for employing a secure 
software container data control structure for ensviring remote, 
persistent maintenance of the electronic rights of commerce 
model clients, and for using secure software containers which 
provide for data structures supporting rules and controls 
corresponding to electronic commerce model agreement 
enforcement. 

59. A method of securely handling electronic currency 
characterized by the following steps: 

packaging electronic currency within a software container, 

and 

dehvering the software container as payment for goods or 
services. 

60. A system for securely handling electronic currency 
characterized by: 

means for packaging electronic currency within a software 
container, and 
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means for delivering the software container as payment for 
goods or services. 

61. A method or system for managing rights within an 
organization characterized in that electronic containers are 
distributed within the organization, the electronic containers 
having controls associated therewith, the controls enforcing, at 
least in part, an organizational hierarchy relating to the use of 
the containers and/or the contents thereof. 

62. A method of organizational rights management 
characterized by the steps of: 

distributing an electronic container within an organization 

and 

restricting usage, access and/or further distribution of the 
electronic container or the contents thereof within or outside of 
the organization based on electronic controls associated with the 
electronic container. 

63. A system for organizational rights management 
characterized by: 

means for distributing an electronic container and 
means for restricting usage, access and/or further 
distribution of the electronic container or the contents thereof 



951 



wo 96/27155 



PCrAJS96/02303 



within or outside of the organization based on electronic controls 
associated with the electronic container. 

64. A method of organizational rights management 
characterized by the steps of: 

distributing electronic containers within an organization, 

and 

using the electronic containers, at least ia part, to 
administer content usage by persons within the organization. 

65. A system for organizational rights management 
characterized by: 

means for distributing electronic containers within an 
organization, and 

means for using the electronic containers, at least in part, 
to administer content usage by persons within the organization. 

66. A method of organizational rights management 
characterized by the steps of: 

distributing electronic containers within an organization, 

and 

using the electronic containers, at least in part, to 
administer use of money within the organization. 

67. A system for organizational rights management 
characterized by electronic containers distributed within an 



952 



wo 96/27155 



PCTAJS96/02303 



organization for, at least in part, administering use of money 
within the organization. 

68. A method of organizational rights management 
characterized by the steps of: 

distributing protected processing environments within an 
organization, and 

using the environments to, at least in part, to administer 
content usage by persons within the organization. 

69. A system for organizational rights management 
characterized by protected processing environments distributed 
within an organization, for, at least in part, administenng 
content usage within the organization. 

70. A method of organizational rights management 
characterized by the steps of: 

distributing protected processing environments within an 
organization, and 

using the processing environments to, at least in part, to 
administer use of money by persons within the organization. 

71. A system for organizational rights management 
characterized by plural protected processing environments 
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distributed within an organization for, at least in part, 
administering use of money within the organization. 

72. A rights management appUance including: 
a user input device, 

a user display device, 

at least one processor, and 

at least one element defining a protected processing 
environment, 

characterized in that the protected processing environment 
stores and uses permissions, methods, keys, programs and/or 
other information to electronically manage rights. 

73. In a rights management appUance including: 
a user input device, 

a user display device, 

at least one processor, and 

at least one element defining a protected processing 
environment, 

a method of operating the appliance characterized by the 
step of storing and using permissions, methods, keys, programs 
and/or other information to electronically manage rights. 

74. A rights management appliance including at least one 
processor element at least in part defining a protected processing 
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environment, characterized in that the protected processing 
environment stores and uses permissions, methods, keys, 
programs and/or other information to electronically manage 
rights. 

75. In a rights management appliance including at least 
one processor element at least in part defining a protected 
processing environment, a method comprising storing and using 
permissions, methods, keys, programs and/or other information 
to electronically manage rights. 

76. A method of electronically storing information in a 
repository and distributing it on request, characterized in that 
the information is protected by associating electronic controls 
with the information, the electronic controls serving to enforce 
rights in the information. 

77. A system for electronically storing information in a 
repository and distributing it on request, characterized by means 
for protecting information by associating electronic controls with 
the information, and Airther including means for using the 
electronic controls to enforce rights in the information. 
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78. A self-protectmg electronic container comprising: 
an electronic container structure for containing digital 

information, and 

an electronic protection mechanism that protects or 
destroys the digital information in the event of tampering. 

79. A method for a self-protecting electronic container 
comprising an electronic container structure for containing 
digital information, the method characterized by detecting an 
attempt at tampering and protecting or destroying the digital 
information in the said attempt. 

80. A method of creating a self-protecting container system 
comprising: 

providing at least one property, 

providing at least one attribute, 

providing at least one cryptographic key, 

providing at least one organizational structvire relating the 
key to the property and/or attribute, and 

encapsulating the property, the attribute, the 
cryptographic key and the organizational structure, either 
expUcitly or by reference, iuto an electronic container structure. 

81. A self-protecting container system comprising: 
at least one property. 
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at least one attribute, 

at least one cryptographic key, and 

at least one organizational structure relating the key to the 
property and/or attribute. 

82. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that each node can perform self- 
administering processes in response to electronic components. 

83. A self-administering electronic component comprising: 
at least one method for performing at least a portion of a 

transaction, 

at least one method for generating audit information, and 
at least one method for securely receiving and interpreting 
administrative information. 

84. A self-administering electronic component performing 
the following methods: 

at least one method for performing at least a portion of a 
transaction, 

at least one method for generating audit information, and 
at least one method for securely receiving and interpreting 
administrative information. 
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85. A self-describing electronic component defining at least 
one parameter and/or function, characterized in that the 
component includes at least one secure, descriptive portion used 
to create a human readable interface describing the parameter 
and/or function. 

86. A method for processing a self-describing electronic 
component defining at least one parameter and/or function, 
characterized by the step of creating, at least in part with the 
component, a human readable interface describing the parameter 
and/or function based at least in part on at least one secure, 
descriptive portion of the component. 

87. A method of performing an electronic transaction 
comprising: 

receiving plural components, 

electronically detecting the occurrence of an event, 

determining, based on the event, a subset of the plural 
received components to process the event, and 

performing, in response to the event, at least one electronic 
process based on the component subset. 

88. A system for performing an electronic transaction 
comprising: 

means for receiving plural components, 
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means for electronically detecting the occurrence of an 

event, 

means for determining, based on the event, a subset of the 
plural received components to process the event, and 

means for performing, in response to the event, at least one 
electronic process based on the component subset. 

89. A distributed transaction processing method 

characterized by the following steps: 

receiving a first electronic component at a first location, 
receiving a second electronic component at a second 

location, 

electronically detecting occurrence of an event at the first 
location, 

processing, in response to the event detection, a first 
portion of an electronic transaction at the fixst location based at 
least in part on the first electronic component, 

securely transmitting at least one signal firom the first 
location to the second location, and 

processing at least a second portion of the electronic 
transaction at the second location based at least in part on the 
second electronic component. 
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90. A method as in claim 89 further characterized by: 
sending at least one signal from the second location to the 

first location, and 

performing at least a third portion of the electronic 
transaction at the first location based at least in part on receipt of 
the signal firom the second location. 

91. A distributed Ixansaction processing system 
characterized by: 

means at a first location for receiving a first electronic 
component, for electronically detecting occurrence of an event, for 
processing, in response to the event detection, a first portion of an 
electronic transaction at the first location based at least in part 
on the first electronic component, and for securely transmitting 
at least one signal firom the first location to a second location; and 

means at the second location for receiving a second 
electronic component, and for processing at least a second portion 
of the electronic transaction based at least in part on the second 
electronic component. 

92. A system as in claim 91 further characterized by: 
means at the second location for sending at least one signal 

fi*om the second location to the first location, and 
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means at the first location for performing at least a third 
portion of the electronic transaction at the first location based at 
least in part on receipt of the signal firom the second location. 

93. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that each node can perform 
electronic processes in response to receipt and assembly of 
electronic components, and the node authenticates each of the 
electronic components before assembling them. 

94. A distributed electronic rights management method 
comprising: 

performing, with at least one protected processing 
environment, electronic processes in response to receipt and 
assembly of electronic components, and 

authenticating, within the protected processing 
environment, each of the electronic components before 
assembling them. 

95. A method as in claim 94 wherein the authenticating 
step includes the step of obtaining a corresponding certificate 
firom a certifying authority. 
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96. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that each node can perform 
electronic processes in response to receipt and assembly of 
electronic components, and the node authenticates each of the 
electronic components by obtaining a corresponding certificate 
from a certifying authority. 

97. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a certifying authority that issues certificates 
allowing each node to authenticate electronic components before 
assembling them to perform and/or control electronic rights 
management processes. 

98. In a distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, a method characterized by the step of issuing 
certificates allowing each node to authenticate electronic 
components before assembling them to perform and/or control 
electronic rights management processes. 

99. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that said nodes enforce usage 

962 



wo 96/27155 



PCTAJS96y02303 



and/or access controls and is capable of electronically obtaining 
compensation from a user and/or other processing of usage 
information for subsequent transfer to rights holders. 

100. In a distributed electronic rights management system 
comprising plural nodes having a protected processing 
environment, a metiiod characterized by the step of enforcing 
usage and/or access controls and electronically obtaining 
compensation from a user and/or other processing of usage 
information for subsequent transfer to rights holders. 

101. A distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, characterized in that each node enforces usage 
and/or access controls based on receipt of information from 
multiple other nodes. 

102. A distributed electronic rights management method 
characterized by the step of enforcing, with a protected 
processing environment, usage and/or access controls based on 
receipt of information from multiple other nodes. 

103. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that said nodes are capable of at 
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least temporarily extending electronic credit to an associated 
user for use in compensating rights holders. 

104. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method of operating the environment 
characterized by the step of at least temporarily extending 
electronic credit to an associated user for use in compensating 
rights holders. 

105. A distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, characterized in that said nodes are capable of 
requesting and obtaining a user-specific electronic credit 
assurance from a clearinghouse before granting the user rights to 
access and/or use electronically protected information. 

106. In a distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, a method characterized by the step of requesting 
and obtaining a user-specific electronic credit assurance from a 
clearinghouse before granting the user rights to access and/or use 
electronically protected information. 
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107. A distributed electronic rights management system 
comprising plural nodes each having a protected processing 
envirozunenty characterized in that each node is capable of 
performing and/or requesting an electronic debit or credit 
transaction as a condition to granting the user rights to access 
and/or use electronically protected information. 

108. In a distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, a method characterized by the step of performing 
and/or requesting an electronic debit or credit transaction as a 
condition to granting the user rights to access and/or use 
electronically protected information. 

109. A distributed electronic rights management system 
comprising plural nodes each having a protected processing 
environment, characterized in that each node can maintain an 
audit trail of user activities for reporting to a centralized location, 
the centralized location analyzing the user activities based on the 
audit trail. 

110. In a distributed electronic rights management system 
comprising plural nodes each having a protected processing 
enviroiunent, a method characterized by the steps of: 
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mamtaining, a plural locations, audit trails of user 
activities for reporting to a centralized location, and 

analyzing^ at the centralized location^ the user activities 
based on the audit trail. 

111. A distributed electronic rights management system 
comprising pliiral nodes having protected processing 
environments, characterized in that said node can monitor user 
activities and trigger the occurrence of unrelated events based on 
the user activities and/or the electronic controls that associate 
the user activities with the unrelated events. 

112. A system as in claim 111 wherein the unrelated event 
is activation of an appUcation program. 

113. A system as in claim 111 wherein the unrelated event 
is use of a secure container. 

114. A system as in claim 111 wherein the unrelated event 
is use of the protected processing environment. 

115. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the step of monitoring 
user activities at said nodes, and triggering the occurrence of 
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tmrelated events based on the user activities and electronic 
controls that associate the user activities with the unrelated 
events. 

116. A method as in claim 115 wherein the unrelated 
event is at least one of: 

activation of an application program, 

use of a secxure container, and 

use of the protected processing environment. 

117. A method of compromising a distributed electronic 
rights management system comprising plural nodes having 
protected processing environments, characterized by the 
following steps: 

exposing a certification private key to allow a person to 
pass a challenge/response protocol, 

defeating at least one of (a) an initiaUzation 
challenge/response security, and/or (b) exposing external 
communication keys, 

creating a processing environment based at least in part on 
the above-mentioned steps, and 

participating in distributed rights management using the 
processing environment. 
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118. A processing environment for compromising a 
distributed electronic rights management system comprising 
plural nodes having protected processing environments, 
characterized by the following: 

means including an exposed certification private key to 
pass a challenge/response protocol, 

means for defeating at least one of (a) an initialization 
challenge/response security, and/or (b) exposing external 
communication keys, and 

means for participating in distributed rights management. 

119. A method of compromising a distributed electronic 
rights management system comprisiag plural nodes having 
protected processing environments, characterized by the step of 
compromising the permissions record of an electronic container 
and using the compromised permissions record to access and/or 
use electronic information. 

120. A system for compromising a distributed electronic 
rights management system comprising plural nodes having 
protected processing environments, characterized by means for . 
using a compromised permissions record of an electronic 
container for accessing and/or using electronic information. 
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121. A method of tampering with a protected processing 
environment characterized by the steps of: 

discovering at least one system-wide key, and 
using the key to obtain access to content and/or 
administrative information without authorization. 

122. An arrangement including means for using at least 
one compromised system-wide key to decrypt and compromise 
content and/or administrative information of a protected 
processing environment without authorization. 

123. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that said nodes can electronically 
fingerprint content before releasing it in tmprotected form. 

124. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by performing, in at least 
one of the nodes, the step of electronically fingerprinting content 
before releasing it in tmprotected form. 

125. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that said nodes can embed. 
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within the electronic content, an electronic fingerprint containing 
specified information identifying a content rights holder and/or 
an indication of origin before including the content in an 
electronic container or allowing access to such content. 

126. In a distributed electronic rights management system 
comprising ploiral nodes having protected processing 
environments, a method characterized by the step of embedding, 
within electronic content, an electronic fingerprint containing 
specified information, including information identifying a content 
rights holder and/or an indication of origin before including the 
content in an electronic container or allowing access to such 
content. 

127. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that the system iacludes one or 
more usage clearinghouses that receive usage information firom 
one or more of the plural nodes. 

128. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the step of receiving, 
with a usage clearinghouse, usage information firom one or more 
of said plural nodes. 
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129. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that the system includes one or 
more financial clearinghouses that receive financial information 
relating to the use of or access to content fi*om one or more of 
nodes. 

130. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the step of receiving, 
with one or more financial clearinghouses, financial information 
firom one or more of the plural nodes. 

131. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that the system includes one or 
more analysis clearinghouses that receive information firom one 
or more of the plural nodes and analyzes the received 
information. 

132. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the step of receiving, 
with one or more analysis clearinghouses, information firom one 
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or more of the pltiral nodes and analyzing the received 
information. 

133. A method of processing information pertaining to the 
use of or access to electronic content wherein such information is 
received from one or more nodes having protected processing 
environments. 

134. A method of providing credit for interaction with 
content to a protected processing environment node. 

135. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that tiie system includes one or 
more clearinghouses that transmits rights and/or permissioning 
information to one or more of the plural nodes. 

136. In a distributed electronic rights management system 
comprising plxiral nodes having protected processing 
environments, a method characterized by the step of transmitting 
rights and/or permissioning information from a clearinghouse to 
one or more of the plural nodes. 
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137. A distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, characterized in that the system includes one or 
more clearinghouses that periodically transmit cryptographic 
material to one or more of said nodes, the cryptographic materia] 
renewing and/or replacing expiring cryptographic material. 

138. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the step of periodically 
transmitting cryptographic material from one or more 
clearinghouses to one more of said nodes, the cryptographic 
material renewing and/or replacing expiring cryptographic 
material. 

139. A secure electronic container characterized ia that 
the container contains electronic controls for controlling the use 
of and/or access to electronic content that is external to the 
container. 

140. A method comprising: 

accessing electronic controls within a secure electronic 
container; and 
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using the controls for at least in part controlling the use of 
and/or access to electronic content that is external to the 
container. 

141. A secure electronic container characterized in that 
the container contains electronic controls for controlling, at least 
in part, the use of and/or access to distributed electronic content. 

142. A method comprising: 

accessing electronic controls within a secure electronic 
container; and 

using the controls for controlling, at least in part, the use of 
and/or access to distributed electronic content. 

143. A secure electronic container characterized in that 
the container contains electronic controls that cause electronic 
content to expire on a time-dependent basis. 

144. A method for processing a secure electronic container 
including the step of causiag, at least in part based on electronic 
controls within the container, electronic content to expire on a 
time-dependent basis. 
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145. A method of metering use of and/or access to 
electromc iiiformation characterized by the step of maintainiiig a 
bitmap meter data structure includiiig data partitions that 
subdivide the metering information by time and/or subject 
matter. 

146. A system for metering use of and/or access to 
electronic information characterized by means for maintaining a 
bitmap meter data structure including data partitions that 
subdivide the metering information by time and/or subject 
matter. 

147. A distributed electromc rights management system 
comprising plural nodes having protected processing 
environments, characterized in that the system permits at least 
some of the nodes to securely describe permitted uses of 
electronic content and securely enforces said description. 

148. In a distributed electronic rights management system 
comprising plural nodes having protected processing 
environments, a method characterized by the steps of permitting 
at least some of the nodes to sectirely describe permitted uses of 
electronic content, and securely enforcing said description. 
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149. A document management system comprising one or 
more electronic appliances containing one or more secm^e 
processing units and one or more secure databases operatively 
connected to at least one of said secure processing imits, said 
system further including protected usage control information 
wherein (a) at least a portion of said control information is 
secvu-ely stored within one or more of said secure databases, and 
(b) at least a portion of said control information governs the 
production of usage information, at least a portion of which usage 
information is reported to one or more parties. 

150. In a document management system comprising one or 
more electronic appliances containing one or more secure 
processing units and one or more secure databases operatively 
connected to at least one of said secure processing units, a 
method for processing protected usage control information 
including the steps of securely storing at least a portion of said 
control information witiiin one or more of said secinre databases, 
and (b) based at least la part on said control information, 
governing the production of usage information and the reporting 
of at least a portion of said \isage information to one or more 
parties. 

151. A document management system comprising plural 
electronic appliances containing protected processing 
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environments and one or more secure databases operatively 
connected to at least one of said protected processing 
environments, said system iiirther including protected usage 
control information, wherein (a) at least a portion of said control 
information is securely stored within one or more of said secure 
databases, and (b) at least a portion of said control information 
governs the production of usage information and the reporting of 
at least a portion of said usage information to one or more 
parties. 

152. In a docimient management system comprising plural 
electronic appUances containing protected processing 
environments and one or more secure databeises operatively 
connected to at least one of said protected processing 
environments, a metJiod of handling usage control information 
including the steps of (a) securely storing at least a portion of 
said control information within one or more of said secure 
databases, and (b) governing, based on at least a portion of said 
control information, the production of usage information and the 
reporting of at least a portion of said usage information to one or 
more parties. 

153. An electronic contract system comprising electronic 
appliances containing one or more secure processing units and 
one or more secure databases operatively connected to at least 
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one of the secure processing units, said system furthering 
including means for enabling plural parties to enter into an 
electronic arrangement, at least one of said databases containing 
secure control information for managing at least a portion of a 
plural party electronic arrangement. 

154. In an electronic contract system comprising plural 
electronic appliances containing one or more secure processing 
units and one or more secure databases operatively connected to 
at least one of the secure processing imits, a method 
characterized by the steps of enabling plural parties to enter into 
to an electronic arrangement, and using secure control 
information contained by at least one of said databases for 
managing at least a portion of a plural party electronic 
arrangement. 

155. An electronic apphance arrangement containing at 
least one secure processing unit and at least one secure database 
operatively connected to at least one of said secure processing 
unit(s), said arrangement including means to monitor usage of at 
least one aspect of appliance usage and control said usage based 
at least in part upon protected apphance usage control 
information. 
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156. In an electronic appliance arrangement containing at 
least one secure processing unit and at least one secure database 
operatively connected to at least one of said secure processing 
unit(s), a method characterized by the steps of monitoring usage 
of at least one aspect of appliance usage and controlling said 
usage based at least in part upon protected appliance usage 
control information. 

157. An electronic appliance arrangement containing a 
protected processing environment and at least one secure 
database operatively connected to said protected processing 
environment, said arrangement including means to monitor 
usage of at least one aspect of an amount of appliance usage and 
control said usage based at least in part upon protected appliance 
usage control information processed at least in part through use 
of said protected processing environment. 

158. In an electronic appliance arrangement containing a 
protected processing environment and at least one sectnre 
database operatively coimected to said protected processing 
environment, a method characterized by the steps of monitoring 
usage of at least one aspect of appliance usage and controlling 
said iisage based at least in part upon protected appliance usage 
control information processed at least in part through use of said 
protected processing enviroimient. 
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159. An electronic appliance arrangement containing one 
or more CPUs wherein at least one of the CPUs incorporates an 
integrated secure processing unit, said arrangement storing 
protected appliance usage control information designed to be 
securely processed by said integrated secure processing unit. 

160. In an electronic appliance arrangement containing 
one or more CPUs wherein at least one of the CPUs incorporates 
an integrated secure processing imit, a method including the step 
of storing and securely processing protected modular component 
appUance usage control information with said integrated secure 
processing unit. 

161. An electronic appUance arrangement containing at 
least one first secxu-e processing luiit and one or more video 
controllers where at least one of the video controllers 
incorporates at least one second secure processing unit, said 
arrangement storing protected video function control information 
designed to be securely processed by said incorporated secure 
processing unit(s). 

162. In an electronic appHance arrangement containing at 
least one first secure processing tmit and one or more video 
controllers where at least one of the video controllers 
incorporates at least one second secure processing unit, the 
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method characterized by the step of storing protected video 
function control information designed to be securely processed by 
said incorporated secure processing unit(s). 

163. An electronic appliance arrangement containing one 
or more video controllers where at least one of the video 
controllers incorporates at least one secure processing unit, said 
arrangement storing protected video function control information 
designed to be securely processed by said incorporated secure 
processing xmit(s), wherein at least a portion of said video 
function control information is stored within a secure database 
operatively connected to at least one of said at least one secure 
processing units. 

164. In an electronic appliance arrangement containing 
one or more video controllers where at least one of the video 
controllers incorporates at least one secure processing unit, a 
method including the steps of storing protected video function 
control information designed to be securely processed by said 
incorporated secure processing unit(s), within a database 
operatively connected to at least one of said at least one secure 
processing imits. 

165. An electronic appUance arrangement containing one 
or more video controllers and at least one secure processing unit, 
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said arrangement storing component, modular protected video 
function control information designed to be securely processed by 
said secure processing unit(s), wherein at least a portion of said 
video function control information is stored within a secure 
database operatively connected to at least one of said at least one 
secure processing unit(s). 

166. An electronic appliance arrangement containing one 
or more video controllers and at least one secure processing unit, 
a method including the step of storing component, modular 
protected video function control information designed to be 
securely processed by said secure processing unit(sX within a 
secure database operatively connected to at least one of said at 
least one secure processiag imit(s). 

167. An electronic appliance arrangement contaioing at 
least one secure processing tmit and one or more network 
commimications means where at least one of the network 
communications means iacorporates at least one further secure . 
processing unit, said arrangement storing protected networking 
control information designed to be processed by said incorporated 
secure processing unit(s). 

168. In an electronic appliance arrangement containing at 
least one secure processing unit and one or more network 
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communications means, a method characterized by the steps of 
incorporating, within at least one of the network communications 
means, at least one further secure processing unit, storing 
networking control information at least in part within said 
incorporated secure processing imit(s), and securely processing 
said protected networking control information with said secure 
processing unit(s). 

169. An electronic appHance arrangement containing one 
or more modems where at least one of the modems incorporates 
at least one secure processing imit, said arrangement storing 
modular, component protected modem control information 
designed to be securely processed by said incorporated secure 
processing unit(s). 

170. In an electronic appUance arrangement containing 
one or more modems where at least one of the modems 
incorporates at least one secure processing unit, a method 
characterized by the step of storing and securely processing 
modular, component protected modem control information with 
said incorporated secure processing miit(s). 

171. An electronic appliance arrangement containing at 
least one secure processing imit and one or more modems where 
at least one of the modems includes at least one further secure 
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processing unit, said arrangement storing protected modem 
control information designed to be securely processed by said 
included secure processing unit(s). 

172. In an electronic appliance arrangement containing at 
least one secin^e processing unit and one or more modems where 
at least one of the modems includes at least one further secure 
processing unit, a method including the step of storing and 
securely processing protected modem control information within 
said included secure processing tmit(s). 

173. An electronic apphance arrangement containing at 
least one secure processing unit and one or more CD-ROM 
devices where at least one of the CD-ROM devices incorporates at 
least one further secure processing unit, said arrangement 
storing protected CD-ROM control information designed to be 
securely processed by said incorporated secure processing unit(s). 

174. In an electronic appliance arrangement containing at 
least one secure processing unit and one or more CD-ROM 
devices where at least one of the CD-ROM devices incorporates at 
least one further secure processing unit, a method characterized 
by the step of storing and securely processing protected CD-ROM 
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control iBformation within said incorporated secure processing 
iimt(s). 

175. An electronic appliance arrangement containing one 
or more network communications means where at least one of the 
network commtmications means incorporates at least one secure 
processing unit, said arrangement storing modular, component, 
protected networking control information designed to be securely 
processed by said incorporated secure processing unit(s). 

176. In an electronic appliance arrangement containing 
one or more network communications means where at least one 
of the network communications means incorporates at least one 
secure processing imit, a method characterized by the step of 
storing and securely processing protected networking control 
information with said incorporated secure processing unit(s). 

177. A set-top controller arrangement containing a 
protected processing environment and a database operatively 
connected to said protected processing environment, said 
arrangement farther containing control information for 
controlling usage of said controller based upon processing of at 
least a portion of said control information within said protected 
processing environment, wherein at least a portion of said control 
information is stored within said database. 
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178. In a set-top controller arrangement containing a 
protected processing environment and a database operatively 
connected to said protected processing environment, a method 
characterized by the step of: (a) using control information within 
the set-top controller arrangement for controlling tisage of said 
controller based upon processing of at least a portion of said 
control information within said protected processing 
environment, and storing at least a portion of said control 
information within said database. 

179. An electronic game arrangement containing a 
protected processing environment for controlling the use of 
electronic games, said arrangement including game usage control 
information, database means operatively connected to said 
protected processing environment for, at least in part, storing 
usage control information for regulating at least some aspect of 
use of at least a portion of at least one of said games, and 
traveling objects containing protected electronic game content. 

180. In an electronic game arrangement containing a 
protected processing environment for controlling the use of 
electronic games, a method including the steps of: 

(a) including game usage control information within a 
database means operatively coimected to said protected 
processing environment; and 
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(b) regulating, at least in part with the stored usage control 
information, at least some aspect of use of at least a portion of at 
least one of said games. 

181. A method as in claim 178 further including the step of 
regulating the use of traveling objects containing protected 
electronic game content. 

182. An electronic game arrangement containing 
interoperable protected processing environments for controlling 
the use of interactive games, said arrangement iacluding 
protected game usage control information, and database means 
operatively connected to said protected processing environments 
for, at least in part, storing game usage control information. 

183. In an electronic game arrangement contaioing 
protected processing environments, a method comprising: 

(a) storing, within a secure database means operatively 
connected to said protected processing environments protected 
game usage control information; and 

(b) controlling the use of interactive games based at least 
in part on the storing game usage control information. 

184. An electronic game arrangement containing 
interoperable protected processing environments for controlling 
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the use of games, said arrangement including component, 
modular^ protected game usage control information, wherein at 
least a portion of said protected control information was provided 
independently by plural parties securing their respective rights 
in at least one electronic value chain. 

185. In an electronic game arrangement containing 
interoperable protected processing environments for controlling 
the use of games, a method including the steps of: 

(a) providing at least a portion of component, modxilar, 
protected game usage control information independently by 
plural parties; and 

(b) using the control information at least ia part to 
securing respective rights of said plural parties in at least one 
electronic value chain. 

186. An electronic midtimedia arrangement containing 
protected processing environments for controlling the use of 
multimedia, said arrangement including component, modular 
multimedia usage control information and database means 
operatively connected to said protected processing environments 
for, at least in part, storing multimedia usage control 
information. 
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187. In an electronic multimedia arrangement containing 
protected processiag environments for controlling the use of 
multimedia, a method including the steps of storing multimedia 
usage control information within a database means operatively 
connected to said protected processing environments, and using 
the stored control information to control multimedia. 

188. An electronic multimedia arrangement containing a 
protected processing environment for controlling the use of 
multimedia, said arrangement including multimedia usage 
control information, database means operatively connected to 
said protected processing enviroimient for, at least in part, 
storing multimedia usage control information, and protected 
traveling objects containing distributed multimedia electronic 
content. 

189. In an electronic midtdmedia arrangement containing 
a protected processing environment, a method characterized by 
the steps of storing multimedia usage control information within 
a database means operatively connected to said protected 
processing environment, and controUrog, based at least in part on 
the stored information, protected traveling objects containing 
distributed multimedia electronic content. 
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190. An electroxlic multimedia arrangement containing 
interoperable protected processing environments for controlling 
the use of multimedia, said arrangement including component, 
modular, protected multimedia usage control information, 
wherein at least a portion of said protected control information 
was provided independently by plural parties securing their 
respective rights in at least one electronic value chain. 

191. A system as in claim 188 further including a secure 
processing imit. 

192. In an electronic multimedia arrangement containing 
protected processing environments, a method comprising 
providing at least a portion of component, modular, protected 
multimedia usage control information independently by plural 
parties securing their respective rights in at least one electronic 
value chain, and using the usage control information to control 
the use of multimedia. 

193. A method as in claim 190 wherein the using step is 
performed at least in part within a secure processing unit. 

194. An integrated circuit supporting multiple encryption 
algorithms comprising at least one microprocessor, memory, 
input/output means, at least one circuit for encrypting and/or 
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decrypting information and one or more software programs for 
use with at least one of the microprocessors to perform encryption 
and/or decryption functions. 

195. In a secure integrated circuit supporting multiple 
encryption algorithms comprising at least one microprocessor, 
memory, input/output means, and providing a protected 
processing environment, a method characterized by executing at 
least a portion of one or more software programs with the 
microprocessor to perform encryption and/or decryption functions 
within the integrated circuit. 

196. An integrated circuit comprising at least one 
microprocessor, memory, at least one real time clock, at least one 
random number generator, at least one circuit for encrypting 
and/or decrypting information and independently deUvered 
and/or independently deUverable certified software. 

197. An integrated circuit comprising at least one 
microprocessor, memory, input/output means, a tamper resistant 
barrier and at least a portion of a Rights Operating System. 

198. An integrated circuit comprising at least one 
microprocessor, memory, input/output means, at least one real 
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tiine dock, a tamper resistant barrier and means for recording 
interruption of power to at least one of the real time clocks. 

199. A method of distributing information characterized by 
the steps of compressing information, encrypting the compressed 
information at the first location, distributing the encrypted 
information to one or more second locations, using a tamper 
resistant integrated circuit to first decrypt and then decompress 
the information. 

200. A system for distributing information characterized 

by: 

means for compressing information, 
means for encrypting the compressed information at the 
first location, 

means for distributing the encrypted information to one or 
more second locations, and 

means for using a tamper resistant integrated circuit to 
first decrypt and then decompress the information. 

201. A method of securely managing distributed events 
characterized by the steps of providing secure event processing 
environments to one or more users, enabling a first user to 
specify control information for event management through the 
use of a first secure event processing environment, and managing 
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the processing of such an event through the use of a second 
secure event processing environment. 

202. A system for securely managing distributed events 
characterized by: 

a first secure event processing environment for enabling a 
first user to specify control information for event management, 
and 

a second secure event processing environment 
interoperable with the first event processing environment for 
managing the processing of such an event. 

203. A method for enabling electronic commerce chain of 
handling and control characterized by the step of a first and a 
second party independently specifying protected, modidar 
component control information describing requirements related 
to the operation of an electronic commerce value chain. 

204. A system for enabling electronic commerce chain of 
handling and control characterized by means for permitting a 
first and a second party to independently specify protected, 
modular component control information describing requirements 
related to the operation of an electronic commerce value chain of 
handling and control, and means for securely enforcing the 
requirements described by the control information. 
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205. A method for enabling electronic commerce 
characterized by the step of a first and a second party 
independently stipulating control information managing the use 
of digital iaformation, wherein said first and said second party 
independently maintain persistent rights enforced by said control 
information as said digital information moves through a chain of 
handling and control. 

206. A system for enabling electronic commerce including: 
means for allowing a first party to stipvdate control 

information managing the use of digital information, 

means for allowing a second party to stipulate control 

information managing the use of the digital information, and 
chain of handling and control means for maintaining 

persistent rights enforced by said control information as said 

digital information moves firom one location and/or process to 

another. 

207. A method for secure maintenance of electronic rights 
comprising a first step of plural parties in a value chain 
independently and securely stipulating control information 
regarding their electronic rights, wherein said control 
information is used to enforce conditions related to the use of 
electronic information distributed in software containers. 
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208. A system for secure maintenance of electronic rights 
comprising: 

means permitting plural parties in a value chain to 
independently and securely stipulates control information 
regarding their electronic rights, and 

means for using said control information to enforce 
conditions related to the use of electronic information distributed 
in software container. 

209. A method for seciirely controlling the use of protected 
electronic content including the step of supporting modular 
separate control information arrangements for managing at least 
one event related to use of said content such that a user may 
select between separate control information arrangements for 
managing such at least one event. 

210. A system for securely controlling the use of protected 
electronic content iacluding modular separate control 
information arrangements for managing at least one event 
related to use of said content such that a user may select between 
separate control information arrangements for managing such at 
least one event. 

211. A method employing separate, modular control 
structures for managing the use of encrypted digital information 
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characterized by the step of enabling commercial value chain 
participants to support plural relationships between two or more 
of: (1) content event triggering, (2) auditing, and (3) budgeting, 
control variables. 

212. A system for employing separate, modular control 
structures for managing the use of encrypted digital information 
characterized by means for enabling commercial value chain 
participants to support plural relationships between two or more 
of: (1) content event triggering, (2) auditing, and (3) budgeting, 
control variables. 

213. A method of chain of handling and control enabling a 
party not directly participating in an electronic value chain to 
contribute secure control information to enforce at least one 
control requirement, said method characterized by a first step of 
a first value chain participant stiptdating control information 
associated with digital information and a second step wherein 
said not directly participating party independently and securely 
contributes secure control information for inclusion in an 
aggregate control information set including said associated 
control information, said aggregate control information at least in 
part managing conditions related to the use of at least a portion 
of said digital information by a second value chain participant. 
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214. A chain of handling and control system for enabling a 
party not directly participating in an electronic value chain to 
contribute secure control information to enforce at least one 
control requirement, said system characterized by : 

means for allowing a first value chain participant to 
stipulate control information associated with digital information, 

means for allowing the not directly participating party to 
independently and securely contribute secure control information 
for iaclusion in an aggregate control information set including 
said associated control information, 

and means responsive to said aggregate control 
information for at least in part managing conditions related to 
the use of at least a portion of said digital information by a 
second value chain participant. 

215. A method of electronic commerce control information 
management for delegating the administration of certain rights 
held by a value chain party to a second value chain party 
characterized by the step of said first party stipulating secure 
control information describing at least a portion of their rights 
related to one or more chain of handling and control electronic 
events wherein said first party provides further control 
information authorizing said second party to administer some or 
all of said rights as an agent for said first party. 
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216. A system for electronic commerce control information 
management for delegating the administration of certain rights 
held by a value chain party to a second value chain party 
characterized by: 

means for allowing said first party to stipulate secure 
control information describing at least a portion of their rights 
related to one or more chain of handling and control electronic 
events; and 

means for allowing said first party to provide further 
control information authorizing said second party to administer 
some or all of said rights as an agent for said first party. 

217. A method of governing taxation of commercial events 
resulting firom electronic chain of handling and control 
characterized by a first step of distributing secure digital 
information to a user and specifying secure control information 
controlling at least one condition for use of said digital 
information and a second step of a government agency securely, 
independently contributing secure control information for 
automatically governing tax payments for said conunercial 
events. 

218. A system for governing taxation of commercial events 
restdting fi*om electronic chain of handling and control 
characterized by: 



998 



wo 96/27155 



PCTAJS96/02303 



means for distributing secure digital information to a user; 

means for specifying secure control information controlling 
at least one condition for use of said digital information; and 

means for allowing a government agency to securely, 
independently contribute secure control information for 
automatically governing tax payments for said commercial 
events. 

219. A method of governing privacy rights related to 
electronic events characterized by a first step of a first party 
protecting digital information containing information descriptive 
of preventing a second party fi*om at least one unauthorized use 
and a second step of specifying certain control information 
related to use of at least a portion of said protected digital 
information, wherein said control information enforces at least 
one right of said second party related to privacy and/or permitted 
use(s) of personal and/or proprietary information iacluded in said 
protected digital infonnation. 

220. A system for governing privacy rights related to 
electronic events characterized by: 

means for permitting a first party to protect digital 
information containing information descriptive of preventing a 
second party from at least one imauthorized use; 
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means for specifying certain control information related to 
use of at least a portion of said protected digital information; and 

means for using the control information to enforce at least 
one right of said second party related to privacy and/or permitted 
use(s) of personal and/or proprietary information included in said 
protected digital information. 

221, A method of governing privacy rights related to 
electronic events characterized by a first step of a first party 
protecting digital information fi:'om at least one imauthorized use 
and stipulating certain control information for establishing 
conditions for use of said protected information and a second step 
of a user of said digital information stipulating further control 
information regulating the reporting of information regarding 
said user's use of at least a portion of said digital information. 

222. A system for governing privacy rights related to 
electronic events characterized by: 

means for allowing a first party to protect digital 
information firom at least one unauthorized use and for 
stipulating certain control information for establishing conditions 
for xise of said protected information; and 

means for allowing a user of said digital information to 
stipidate further control information regulating the reporting of 
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infonnatioii regarding said usei^s use of at least a portion of said 
digital information. 

223, A secure method for regulating electronic conduct and 
commerce characterized by a step of distributing interoperable 
protected processing environments and circulating amongst 
plural recipients of said protected processing environments 
software containers containing digital content and related 
content control information prepared for use by at least a portion 
of said protected processing environments, wherein said method 
includes the further step of regulating the use at least some of 
said digital content based, at least in part, on the secure 
processing of at least a portion of said control information 
through the use of at least one protected processing environment. 

224. A secure system for regulating electronic conduct and 
commerce characterized by: 

distributed interoperable protected processing 
environments, 

means for circulating, amongst said protected processing 
environments, software containers containing digital content and 
related content control information prepared for use by at least a 
portion of said protected processing environments, and 

means within at least some of the protected processing 
environments for regulating the use at least some of said digital 
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content based, at least in part, on the secure processing of at 
least a portion of said control information. 

225. A method of electronic commerce^networking for 
enabling a secure electronic retail environment characterized by 
the step of suppljdng user certified control information, smart 
cards, secure processing units, and retailing terminal 
arrangements networked together using VDE communication 
techniques and secure software containers. 

226. An electronic commerce networking system for 
enabling a secure electronic retail environment characterized by: 

means for networking together smart cards, secure 
processing vmits, and retailing terminal arrangements; and 

means for making the smart cards, secure processing units, 
and retailing terminal arrangements interoperable with one 
another and with VDE communication techniques and secure 
software containers. 

227. A method of enabling electronic commerce appliances 
for securely administering user rights in commerce activities 
characterized by the step of providing to users at least a portion 
of a VDE node contained within a physical device, said device 
being configured to be compatible with mating connectors ia host 
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systems for supportmg secure, interoperable transaction activity 
between plural parties. 

228. A system for securely administering user rights in 
commerce activities comprising a physical device including at 
least a portion of a portable VDE node, said device being 
configured to be compatible with mating coimectors in host 
systems for supporting secure, interoperable transaction activity 
between plural parties. 

229. A method for enabling a programmable, electronic 
commerce environment characterized by the step of providing to 
multiple parties secure commerce nodes that securely process 
separate, modular component billing management methods, 
budgeting management methods, metering management 
methods, and related auditing management methods and further 
characterized by the step of supporting triggering of metering, 
auditing, billing, and budgeting methods in response to electronic 
commerce event activities. 

230. A programmable, electronic commerce environment 
characterized by secure commerce nodes each including: 

means for securely processing separate, modular 
component billing management methods, budgeting management 
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methods, metering management methods, and related auditing 
management methods, and 

means for supporting triggering of metering, auditing, 
billing, and budgeting methods in response to electronic 
commerce event activities. 

231. An electronic commerce system including modular, 
standardized control components comprising electronic commerce 
event control instructions stipulated by commerce participants, 
and plural electronic appliances containing one or more secure 
processing units which process at least a portion of such 
commerce event control iostructions, said system further 
containing one or more databases, operatively connected to at 
least one of the secure processing units, for at least in part 
securely storing at least a portion of such control instructions for 
use by said at least one secure processing unit. 

232. In an electronic commerce system including modular, 
standardized control components comprising electronic commerce 
event control instructions stipulated by commerce participants, 
and plural electronic appUances containing one or more secure 
processing units which process at least a portion of such 
commerce event control instructions, a method characterized by 
the step of providing one or more secure databases, operatively 
connected to at least one of the secure processing tmits, and at 
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least in part securely storing, within the secure databases, at 
least a portion of such control instructions for use by said at least 
one secure processing unit. 

233. A content distribution system comprising plural 
electronic apphances containing one or more interoperable secure 
processing units operatively connected to one or more databases 
for use with at least one of said secure processing units, said one 
or more databases containing (a) one or more decryption keys for 
use in decrypting distributed, encrypted digital information, and 
(b) encrypted audit infonnation, said audit information reflecting 
at least one aspect of use of said distributed digital information 

234. A content distribution method comprising: 
distributing plural electronic appUances containing one or 

more interoperable secure processing units 

operatively connecting the apphances to one or more 
databases, 

storing within said one or more databases one or more 
decryption keys, 

using the decryption keys for decrypting distributed, 
encrypted digital information, and 

storing within the one or more databases encrypted audit 
information, said audit information reflecting at least one aspect 
of use of said distributed digital information. 
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235. An electronic currency system comprising plural, 
electronic appliances containing (a) protected processing 
environments, (b) encrypted electronic currency and related 
secure control information configured so as to be useable by at 
least one of said protected processing environments, and (c) 
usage reporting means for securely communicating electronic 
currency usage related information from a first interoperable 
protected processing environment to a second interoperable 
protected processing environment. 

236. An electronic currency method comprising: 
distributing plural, electronic appliances containing (a) 

protected processing environments, (b) encrypted electronic 
currency and related secure control information configured so as 
to be useable by at least one of said protected processing 
environments, and 

securely communicating electronic currency usage related 
information from a first interoperable protected processing 
environment to a second interoperable protected processing 
environment. 

237. A method for electronic financial activities 
characterized by the steps of: 
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commumcating digital containers containing 
financial information from a first interoperable 
secure node to a second interoperable secure node, 
commxmicating modular, standard control 
information to said second secure node to, at least in 
part, set the conditions for use of at least a portion of 
said financial information, 

reporting information related to said use to said first 
interoperable secure node. 

238. A system for electronic financial activities 
characterized by: 

means for communicating digital containers containing 
financial information from a first interoperable secure node to a 
second interoperable secure node, 

means for communicating modular, standard control 
information to said second secure node, 
means at the second node for, at least in part, setting the 
conditions for use of at least a portion of said financial 
information, and 

means for reporting information related to said use from 
the second secure node to said first interoperable seciu-e node. 

239. A method for electronic currency management 
including: 
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commtinicating encrypted electronic currency from a first, 
interoperable secure user node to a second interoperable user 
node iising at least one secure container, and 

providing secure control information for use with said at 
least one secure container, said secure control information, at 
least in part, maintaining conditionally anonymous ctirrency 
usage information. 

240. A system for electronic currency management 
including: 

means for communicating encrypted electronic currency 
from a first, interoperable secure user node to a second 
kiteroperable user node using at least one secure container, and 

means for providing secure control information for use with 
said at least one secure container, said secure control 
information, at least in part, maintaining conditionally 
anonymous currency usage information. 

241. A method for electronic financial activities 
management characterized by the steps of: 

seciirely communicating from a first secure node to a 
second secure node financial information standardized control 
information for controlling the use of financial information used 
in a financial value chain, 
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securely communicating from said first secure node to a 
third secure node said financial information standardized control 
information for controlling the use of financial information used 
in a financial value chain, 

securely communicating encrypted financial information 
from said second secure node to said third secure node, including 
communicating secure control information, 
processing said financial information at said third node at least 
in part through the use of secure control information supplied hy 
said first and said second secure nodes, wherein said 
standardized control information is at least in part stored in a 
secvire database contained within said third secure node. 

242. A system for electronic financial activities 
management characterized by the steps of: 

means coupled to a first and a second secure node for 
seciirely communicating from said first secure node to said 
second secure node financial information standardized control 
information for controlling the use of financial information used 
in a financial value chain, 

means coupled between the first secure node and a third 
secure node for securely conmiunicating from said first secure 
node to said third secure node said financial information 
standardized control information for controlling the use of 
financial information used in a financial value chain, 
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means coupled between the second and third nodes for 
securely communicating enciypted financial information from 
said second secure node to said third secure node, including 
communicating secure control information, and 

means at the third node for processing said financial 
information at said third node at least in part through the use of 
secure control information supplied by said first and said second 
secure nodes, and 

a secure database at the third node for at least in part 
storing said standardized control information. 

243. A method of information management characterized 
by the steps of creating at least one smart object at a first 
location, protecting at least a portion of said smart object 
including protectiag at least one rule and/or control assigned to 
said smart object, distributing said at least one smart object to at 
least one second location, securely processing at least a portion of 
the contents of said at least one smart object at said at least one 
second location in accordance with at least a portion of at least 
one said rule and/or control assigned to said smart object. 

244. An information management system characterized 

by: 

means for creating at least one smart object at a first 
location, 
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means for protecting at least a portion of said smart object 
including means for protecting at least one rule and/or control 
assigned to said smart object, 

means for distributing said at least one smart object to at 
least one second location, and 

means for securely processing at least a portion of the 
contents of said at least one smart object at said at least one 
second location in accordance with at least a portion of at least 
one said rule and/or control assigned to said smart object. 

245. An object processing system comprising at least one 
secure object containing at least in part protected executable 
content and at least one at least in part protected rule and/or 
control associated with operations related to the execution of 
such content, and at least one secure execution environment for 
processing the executable content in accordance with at least a 
portion of at least one of said at least one associated rule and/or 
control. 

246. An object processing method comprising: 
providing at least one secure object containing at least in 

part protected executable content and at least one at least in part 
protected rule and/or control associated with operations related 
to the execution of such content, 
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processing, within at least one secure execution 
environment, the executable content in accordance with at least a 
portion of at least one of said at least one associated rule and/or 
control 

247. A ri^ts distributed database environment iacluding 
(a) means allowing one or more central authorities to establish 
control information for use of encrypted digital information, (b) 
interoperable database management systems at plural user sites 
for securely storing control infonnation and audit information, (c) 
secure communication means for securely conmiunicating control 
information and audit information between user sites, and (d) 
centralized database means for compiling and analyzing usage 
information from plural user sites. 

248. Within a rights distributed database environment, a 
method characterized by the following steps: 

establishing control information for use of encrypted digital 
information, 

securely storing, within interoperable database 
management systems at plural tiser sites, control information 
and audit information, 

securely communicating control information and audit 
information between user sites, and 
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compiling and analyzing usage information from plural 
user sites. 

249. A method of distributed database searching 
characterized by the steps of creating at least one secure object 
containing search criteria, transmitting at least one such secure 
object to one or more second locations to perform database 
searches in accordance with at least one rule and/or control, 
processing at least one database search based at least in part on 
the search criteria within a secure object in accordance with at 
least a portion of at least one of the said at least one associated 
rule and/or control, storing database search results in the same 
and/or one or more new secure objects, and transmitting the 
secure object containing search results to the first location. 

250. A method as in claim 247 further characterized by the 
additional step of associating at least one additional rule and/or 
control with the search results for establishing at least one 
condition related to the use of at least one portion of said search 
results. 

251. A system for distributed database searching 
characterized by: 

means for creating at least one secure object containing 
search criteria, 
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means for transmittmg at least one such secure object to 
one or more second locations to perform database searches in 
accordance with at least one rule and/or control, 

means for processing at least one database search based at 
least in part on the search criteria within a secure object in 
accordance with at least a portion of at least one of the said at 
least one associated rule and/or control, 

means for storing database search results in the same 
and/or one or more new secure objects, and 

means for transmitting the secure object containing search 
results to the first location. 

252. A system as in claim 249 further characterized by 
means for associating at least one additional rule and/or control 
with the search results for establishing at least one condition 
related to the use of at least one portion of said search results. 

253. A rights management system comprising protected 
information, at least two protected processing arrangements, and 
a rights management language that allows the expression of 
permitted operations and the consequences of performing such 
operations on at least a portion of the information processed at 
least in part by at least one of the protected processing 
arrangements. 
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254. A rights management method comprising: 
providing protected information for processing by at least 

two protected processing arrangements, and 

expressing, in a rights management language, permitted 
operations and the consequences of performing such operations 
on at least a portion of the information processed at least in part 
by at least one of the protected processing arrangements. 

255. A method of protecting digital information 
characterized by the steps of encrypting at least a portion of the 
information, using a rights management language to describe the 
conditions related to use of the information, distributing at least 
a portion of such information and at least a portion of such rights 
language expressed conditions to one or more recipients, using an 
electronic apphance arrangement including at least one protected 
processing arrangement to securely govern at least a portion of 
the use of such ioformation. 

256. A system for protecting digital information 
characterized by: 

means for encrypting at least a portion of the information, 
means for using a rights management language to describe 
the conditions related to use of the information, 
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means for distributing at least a portion of such 
information and at least a portion of such rights language 
expressed conditions to one or more recipients, and 

an electronic appliance arrangement including at least one 
protected processing arrangement for securely governing at least 
a portion of the use of such information. 

257. A distributed digital information management system 
comprising software components, a rights management language 
for expressing processing relationships between two or more of 
the software components, protected processing means for at least 
a portion of the software components and at least a portion of the 
rights management expressions, means for protecting content, 
means for creating software objects that relate protected content 
to rights management e^qpressions, and means for dehvering 
protected content, rights management expressions, and such 
software objects from a providing location to a user^s location. 

258. A distributed digital information management 
method comprising: 

expressing, in a rights management language, processing 
relationships between two or more of the software components, 

processing, within at least one protected environment, at 
least a portion of the software components and at least a portion 
of the rights management expressions, 
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protecting content, 

creating software objects that relate protected content to 
rights management expressions, and 

delivering protected content, rights management 
egressions, and such software objects from a providing location 
to a user's location. 

259. An authentication system comprising at least two 
electronic appliances, at least two digital certificates reflecting 
identity information encrypted using different certifying private 
keys where such certificates are stored in a first electronic 
appliance, cozmnunicatLons means for transmitting and receiving 
signals between electronic appliances, means for determining 
compromised and/or expired certifying private keys operatively 
connected to a second electronic appHance, means for tiie second 
electronic appliance to request transmission of one of the digital 
certificates from the first electronic appliance based at least in 
part on such determination, and means operatively connected to 
such second electronic appHance for decrypting such certificate 
and determining such certificate's validity and/or the validity of 
identity information. 

260. In a system comprising at least two electronic 
appliances, an authenticating method comprising: 
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issuing at least two digital certificates reflecting 
identification information, including the step of enciypting the 
two certificates using different certifying private keys, 

storing the certificates in a first electronic appliance, 
transmittiog and receiving signals between electronic 
appliances, 

determining compromised and/or expired certifying private 
keys operatively connected to a second electronic appliance, 

requesting, with the second electronic appliance, 
transmission of one of the digital certificates fi:om the first 
electronic appUance based at least in part on such determination, 

decrypting such certificate with the second electronic 
appliance, and 

determining such certificate's validity and/or the validity of 
identity information. 

261. An authentication system comprising at least two 
electronic appHances, at least two digital certificates r^ecting 
identify information encrypted using difierent certifying private 
keys where such certificates are stored in a first electronic 
appliance, communications means for transmitting and receiving 
signals between electronic appliances, means for a second 
electroidc appUance to request transmission of one of the digital 
certificates from the first electronic apphance wherein the 
selection of which certificate is requested is based at least in part 
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on a random or pseudo-random number^ means operatively 
connected to such second electronic appliance for decrypting such 
certificate and determining such certificate's validity and/or the 
validity of identity information. 

262. In a system comprising at least two electronic 
appUanceS) an authenticating method comprising: 

issuing at least two digital certificates reflecting identify 
information, including the step of encrypting the two digital 
certificates using different certifying private keys, 

storing such certificates in a first electronic appUance, 
transmitting and receiving signals between electronic 
appUances, 

requesting, with a second electronic appHance, 
transmission of one of the digital certificates fi-om the first 
electronic appliance, including the step of selecting a certificate 
based at least in part on a random or pseudo-random number, 

deciypting such certificate with the second electronic 
appliance; and 

determining such certificate's vaUdity and/or the vaKdity of 
identity information. 

263. A method of secure electronic mail characterized by 
the steps of creating at least one electronic message using an 
interoperable protected processing environment, encrypting at 
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least a portion of said at least one message, securely associating 
one or more sets of control information with one or more 
messages to set at least one condition for the use of said at least 
one message, communicating the protected electronic messages to 
one or more recipients having protected processing environments, 
securely communicating at least one set of the same or differing 
control information to each recipient, enabling recipients of both 
control information and protected messages to use message 
information at least in part in accordance with the conditions 
specified by the control information. 

264. A system for secure electronic mail including multiple 
protected processing environments, the system characterized by: 

a first protected processing environment for creating at 
least one electronic message, the first environment including 
means for enciypting at least a portion of said at least one 
message, means for securely associating one or more sets of 
control information with one or more messages to set at least one 
condition for the use of said at least one message, and means for 
coinmunicating the protected electronic messages to one or more 
recipients having interoperable protected processing 
environments, 

means for securely conununicating at least one set of the 
same or differing control information to each recipient, and 
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means for enabling recipients of both control information 
and protected messages to use message information at least in 
part in accordance with the conditions specified by the control 
information. 

265. A method of information management characterized 
by the steps of protecting content from unauthorized use, 
securely associating enabling control information with at least a 
portion of such protected content wherein such enabling control 
information incorporates information describing how the 
enabling control information may be redistributed, dehvering at 
least a portion of the protected content to a first user, deUvering 
such enabling control information to such first user, receiving a 
request to redistribute such enabling control information from 
such first user, using the description of how enabling control 
information may be redistributed to create new enabling control 
information where such new enabling control information may be 
the same or different than the enabling control information 
received by such first user, deUvering the new enabling control 
information and/or protected information to a second user. 

266. An information management system characterized 

by: 

means for protecting content fi*om imauthorized use, 
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means for securely associating enabling control 
information with at least a portion of such protected content, 
including means for incorporating enabling control information 
describing how the enabling control information may be 
redistributed, 

means for delivering at least a portion of the protected 
content to a fixst user, 

means for delivering such, enabling control information to 
such first user, 

means for receiving a request to redistribute such enabling 
control information from such first user, 

means for using the description of how enabling control 
information may be redistributed to create new enabling control 
information where such new enabling control information may be 
the same or different than the enabling control information 
received by such first user, and 

means for deUvering the new enabling control information 
and/or protected information to a second user. 

267. A method of controlling redistribution of distributed 
digital information including the steps of encrypting digital 
information, distributing said encrypted digital information from 
a first party to a second party, establishing control ioformation 
regarding the redistribution of at least a portion of said encrypted 
digital ioformation from said second party to at least one third 
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party, regulating the redistribution of said at least a portion of 
said encrypted digital information through the use of a protected 
processing environment processing said control information. 

268. A system for controlling redistribution of distributed 
digital information including: 

means for encrypting digital information, 

means for distributing said encrypted digital information 

from a first party to at least one second party, 

means for establishing control information regarding the 

redistribution of at least a portion of said encrypted digital 

information from said second party to at least one third party, 

and 

a protected processing environment for processing said 
control information and for regulating the redistribution of said 
at least a portion of said encrypted digital information. 

269. A method of controlling a robot characterized by the 
steps of creating instructions for one or more robots, creating a 
secure container incorporating such instructions, associating 
control information with such secure container, incoiporating at 
least one secure processing unit into such one or more robots, and 
performing at least a portion of such instructions in accordance 
with at least a portion of such control information. 
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270. A method as in claim 267 fiirther characterized in 
that such control information includes information describing the 
conditions under which such instructions may be used and the 
nature of audit reports required when such instructions are 
performed. 

271. A robot control system characterized by: 
means for creating instructions for one or more robots, 
means for creating a seciire container incorporating such 

instructions, 

means for associating control information with such secure 
container, 

means for incorporating at least one secure processing unit 
into such one or more robots, and 

means for performing at least a portion of such instructions 
in accordance with at least a portion of such control information. 

272. A system as in claim 269 further characterized by 
means for creating such control information, including means for 
describing the conditions under which such instructions may be 
used and the nature of audit reports required when such 
instructions are performed. 

273. A method of detecting fraud in electronic commerce 
characterized by the steps of creating at least one secure 
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container, associating control information with such one or more 
containers including control information requiring that audit 
information be collected and transmitted to an auditing party, 
delivering such one or more containers and such control 
information to at least one user, recording information 
identifying each container and each such user, receiving audit 
information, creating a profile of usage based at least in part on 
such received audit information and/or such control information, 
detecting cases where certain audit information dififers at least in 
part from such profile of usage. 

274. A system for detecting firaud in electronic conunerce 

characterized by 

means for creating at least one secure container, 

means for associating control information with such one or 

more containers including control information requiring that 

audit information be coUected and transmitted to an auditing 

party, 

means for delivering such one or more containers and such 
control information to at least one user, 

means for recording information identifying each container 
and each such user, 

means for receiving audit information, 
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means for creating a projBle of usage based at least in part 
on such received audit information and/or such control 
informatdon, and 

means for detecting cases where certain audit information 
differs at least in part firom such profile of usage. 

275. A method of detecting fraud in electronic commerce 
characterized by the steps of distributing at least in part 
protected digital information to customers, distributing one or 
more rights to use at least a portion of such digital information 
across an electronic network, allowing a customer to use at least 
a part of said at least in part protected digital information 
through the use of a protected processing environment and at 
least one of said one or more distributed rights, detecting 
unusual usage activity related to use of said digital information. 

276. A system for detecting fraud in electronic commerce 
characterized by 

means for distributing at least in part protected digital 
information to customers, 

means for distributing one or more rights to use at least a 
portion of such digital information across an electronic network, 

a protected processing environment for allowing a 
customer to use at least a part of said at least in part protected 
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digital information through at least one of said one or more 
distributed rights, and 

means for detecting unusual usage activity related to use 
of said digital information. 

277. A programmable component arrangement comprising 
a tamper resistant processing environment including a 
microprocessor, memory, a task manager, memory manager and 
external interface controller, means for loading arbitrary 
components at least in part into the memory, means for initiating 
one or more tasks associated with processing such components, 
means for certifying the validity, integrity and/or trustedness of 
such components, means for creating arbitrary components, 
means for associating arbitrary events with such created 
components, means for certifying the validity, integrity and/or 
trustedness of such created components, and means for securely 
deliveriag such created components. 

278. In a programmable component arrangement 
comprising a tamper resistant processing environment including 
a microprocessor, memory, a task manager, memory manager 
and an external interface controller, a processing method 
characterized by the following steps: 

creating arbitrary components, 

associating arbitrary events with such created components, 
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loading the arbitrary components at least in part into the 
memory, 

initiating one or more tasks associated with processing 
such loaded components, 

certifying the validity, integrity and/or trustedness of such 
created components, and 

securely delivering such created components. 

279. A distributed, protected, programmable component 
arrangement comprising at least two tamper resistant processing 
enviroiunents including a microprocessor, memory, a task 
manager, memory manager and external interface controller, 
means for loading arbitrary components at least in part into the 
memory, means for initiating one or more tasks associated with 
processing such components, and means for certifying the 
validity, integrity and/or trustedness of such components, said 
arrangement further comprising means for creating arbitrary 
components, means for associating arbitrary events with such 
created components, means for certifying the validity, integrity 
and/or trustedness of such created components, means for 
securely delivering such created components between at least two 
of said at least two tamper resistant processing environments. 

280. In a distributed, protected, programmable component 
arrangement comprising at least two tamper resistant processing 
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environments including a microprocessor, memory, a task 
manager, memoiy manager and external interface controller, a 
method comprising 

creating arbitrary components, 
certifying the validity, integrity and/or trustedness of such 
components, 

loading arbitrary components at least in part into the 
memory, 

initiating one or more tasks associated with processing 
such components, 

associating arbitrary events with such created components, 

and 

securely delivering such created components between at 
least two of said at least two tamper resistant processing 
environments. 

281. An electronic appUance comprising at least one CPU, 
memory, at least one system bus, at least one protected 
processing environment, and at least one of a Rights Operating 
System or Rights Operating System layer associated with a host 
operating system. 

282. An operating system comprising at least one task 
manager, at least one memory manager, at least one input/output 
manager, at least one protected processing environment, means 
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for detectmg events, means for Etssociating events with rights 
control functions, means for performing rights control functions 
at least in part within such one or more protected processing 
environments. 

283. In an operating system comprising at least one task 
manager, at least one memory manager, at least one input/output 
manager, at least one protected processing environment, an 
operating method comprising: 

detecting events, 

associating events with rights control fimctions, and 
performing rights control functions at least in part within 
sudi one or more protected processing environments. 

284. A method of business automation characterized by 
the steps of creating one or more secure containers including 
accounting and/or other administrative information, associating 
control information with such one or more secinre containers 
including a description of (a) the one or more parties to whom the 
container may and/or must be deUvered and/or (b) the operations 
that one or more parties may and/or must perform with respect to 
such accoimting and/or other administrative information, 
delivering one or more of such containers to one or more parties, 
and enabling the description and/or enforcement of at least a 
portion of such control infozmation prior, during and/or 
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information by one or more parties. 

285. A method as in claim 282 where such control 
information iurther includes at least one requirement that audit 
information be collected and delivered to one or more auditing 
parties, and further includes the step of deUvering at least a 
portion of such audit information to one or more parties. 

286. A method as in claim 283 where at least a portion of 
such audit information is automatically processed by at least one 
of such auditing parties, and further includes the step of 
transmitting further accounting, administrative and/or audit 
information to one or more parties that may be the same and/or 
differ from the one or more parties &om whom audit information 
was received based at least in part on the receipt and/or content 
of such received audit information. 

287. A method as in claim 282 where at least two of such 
parties are associated with different businesses and/or other 
organizations and such control information includes information 
that at least in part describes an accounting, administrative, 
reporting and/or other audit relationship between such 
businesses and/or other organizations. 
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288. A method as in claim 282, 283, 284, or 285 where 
some or all of such accoimting and/or other administrative 
information is included in such control information. 

289. A business automation system characterized by: 
means for creating one or more secure containers including 

accounting and/or other administrative information, 

means for associating, with such one or more secure 
containers, control information including a description of (a) the 
one or more parties to whom the container may and/or must be 
delivered and/or (b) the operations that one or more parties may 
and/or must perform with respect to such accounting and/or other 
administrative information, 

means for deUvering one or more of such containers to one 
or more parties, and 

means for enabling the description and/or enforcement of 
at least a portion of such control information prior, during and/or 
subsequent to use of such accounting and/or other administrative 
information by one or more parties. 

290. A system as in claim 287 where the associating 
means further includes means for associating at least one 
requirement that audit infoimation be collected and delivered to 
one or more auditing parties, and the dehvering means includes 
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means for delivering at least a portion of such audit information 
to one or more parties. 

291. A system as in claim 288 further including means for 
automatically processing at least a portion of such audit 
information, and the system further includes means for 
transmitting further accoimting, administrative and/or audit 
information to one or more parties tiiat may be the same and/or 
differ from the one or more parties from whom audit information 
was received based at least in part on the receipt and/or content 
of such received audit information. 

292. A system as in claim 287 where at least two of such 
parties are associated with different businesses and/or other 
organizations and the associating means includes means for 
generating control information including information that at 
least in part describes an accounting, administrative, reporting 
and/or other audit relationship between such businesses and/or 
other organizations. 

293. A system as in claim 286, 287, 288, or 290 where 
some or all of such accounting and/or other administrative 
information is included in such control information. 
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294. A method of distributmg content characterized by the 
steps of creating one or more first secure containers, associating 
control information with such first containers including 

information describing the conditions under which some or all of • 

the content of such first containers may be extracted, delivering 

at least a portion of sudi first containers and such control 

information to one or more parties, detecting a request by one or 

more of such parties to extract some or all of the content of such 

first containers, determining if such request is permitted in whole 

or in part by such control information, to the extent permitted by 

such control information creating one or more second secxare 

containers in accordance with such request and such control 

information, associating control information with such one or 

more second secure containers based at least in part on control 

information associated with such first containers. 

295. A system for distributing content characterized by: 
means for creating one or more first secure containers, 
means for associating control information with such first 

containers including information describing the conditions under 
which some or all of the content of such first containers may be 
extracted, 

means for delivering at least a portion of such first 
containers and such control information to one or more parties. 
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means for detecfang a request by one or more of such 
parties to extract some or all of the content of such first 
containers, 

means for determining if such request is permitted in 
whole or in part by such control information, to the extent 
permitted by such control information creating one or more 
second secure containers in accordance with such request and 
such control information, and 

means for associating control information with such one or 
more second secure containers based at least in part on control 
information associated with such first containers. 

296. A method of distributing content characterized by the 
steps of creating one or more first secure containers, associating 
control information with such first secure containers including 
information describing the conditions imder which such first 
secure containers (a) may in whole or in part be embedded into 
and/or secxirely associated with one or more second secure 
containers and/or (b) may allow one or more secure containers to 
be in whole or in part embedded into and/or securely associated 
with such fibrst secure containers, dehvering at least a portion of 
such first secure containers and such control information to one 
or more parties, detecting a request by one or more of such 
parties or by additional parties to (a) in whole or in part embed 
into and/or securely associate with such first containers one or 
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more second containers and/or (b) in whole or in part embed into 
and/or securely associate with a secure container such first 
secure containers, determining if such request is permitted by 
control information, to the extent permitted by control 
information performing one or more embedding and/or secure 
association operations, to the extent required by control 
information and/or requested by one or more of such parties, 
modifying and/or creating new control information at least in 
part as a consequence of such one or more embedding and/or 
secure association operations. 

297. A system for distributing content characterized by 
means for creating one or more first secure containers, 
means for associating control information with such first 
secure containers including information describing the conditions 
under which such first secure containers (a) may in whole or in 
part be embedded into and/or securely associated with one or 
more second seciu^e containers and/or (b) may allow one or more 
secure containers to be in whole or in part embedded into and/or 
securely associated with such first secure containers, 

means for deUvering at least a portion of such first secure 
containers and such control information to one or more parties, 

means for detecting a request by one or more of such 
parties to (a) in whole or in part embed into and/or securely 
associate with such iirst containers one or more second 
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containers and/or (b) in whole or in part embed into and/or 
securely associate with a secure container such first secure 
containers, and 

means for determining if such request is permitted by 
control information, to the extent permitted by control 
information performing one or more embedding and/or secure 
association operations, to the extent required by control 
information and/or requested by one or more of such parties, 
modifying and/or creating new control information at least in 
part as a consequence of such one or more embedding and/or 
secure association operations. 

298. A method of distributing information characterized by 
the steps of protecting information from xmauthorized use, 
associating control information with such protected information, 
delivering at least a portion of such protected infonnation to one 
or more parties tising plural pathways, delivering at least a 
portion of such control information to one or more parties using 
the same or different plural pathways, enabling at least one of 
such parties to make at least some use of such protected 
information delivered using a first pathway in accordance with 
control infonnation at least a portion of which is deUvered using 
a second pathway. 
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299. A method as in claim 296 in which at least one of 
such pathways of delivering protected information and/or control 
information is described by such control information. 

300. A system for distributing information characterized 

by: 

means for protecting information from unauthorized use, 

means for associating control information with such 
protected information, 

means for delivering at least a portion of such protected 
information to one or more parties using plural pathways, 

means for delivering at least a portion of such control 
information to one or more parties using the same or different 
pliiral pathways, 

means for enabling at least one of such parties to make at 
least some use of such protected information delivered using a 
first pathway in accordance with control information at least a 
portion of which is delivered using a second pathway. 

301. A system as in claim 298 wherein the delivering 
means includes means for delivering, over at least one of such 
pathways, protected information and/or control information 
described by such control information. 
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302. A method of distributing information characteiiz 
the steps of protecting information from imauthorized use, 
associating control information with such protected information 
including information requiring the collection of audit 
information, enabling one or more parties to receive and/or 
process audit information, delivering at least a portion of such 
protected information and such control information to one or 
more parties, enabling at least some use of such protected 
information in accordance with at least a portion of such control 
information that requires the collection of audit information, 
delivering such audit information to one or more of such enabled 
auditing parties different from such deHvering party or parties. 

303. A method as in claim 300 in which at least one of 
such auditing parties is specified in such control information. 

304. A system for distributing information characterized 

by 

means for protecting information from imauthorized use, 
means for associating control information with such 

protected information including information requiring the 

collection of audit information, 

means for enabling one or more parties to receive and/or 

process audit information, 
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means for delivermg at least a portion of such protected 
information and such control information to one or more parties, 

means for enabling at least some use of such protected 
information in accordance with at least a portion of such control 
information that requires the collection of audit information, and 

means for deUvering such audit information to one or more 
of such enabled auditing parties different from such dehvering 
party or parties. 

305. A system as in claim 302 in whidi at least one of such 
auditing parties is specified in such control information. 

306. A secure component-based operating process 
including: 

(a) retrieving at least one component; 

(b) retrieving a record that specifies a component 
assembly; 

(c) checking said component and/or said record for validity; 

(d) using said component to form said component assembly 
in accordance with said record; and 

(e) performing a process based at least in part on said 
component assembly. 

307. A process as in claim 304 wherein said step (c) 
further comprises executing said component assembly. 
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308. A process as in daim 304 wherein said component 
comprises executable code. 

309. A process as in claim 304 wherein said component 
comprises a load module. 

310. A process as in claim 304 wherein: 
said record comprises: 

(i) directions for assembling said component assembly; 
and 

(ii) information that at least in part specifies a control; 
and 

said process further comprises controlling said step (d) 
and/or said step (e) based at least in part on said control. 

311. A process as in claim 304 wherein said component 
has a security wrapper, and said controlling step comprises 
selectively opening said security wrapper based at least in part 
on said control. 

312. A process as in claim 304 wherein: 

said permissions record includes at least one decryption 
key; and 

said controlling step includes controlling use of said 
decryption key. 
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313. A process as in claim 304 including performing at 
least two of said steps (a) and (e) within a protected processing 
environment. 

314* A process as in claim 304 including performing at 
least two of said steps (a) and (e) at least in part within tamper- 
resistant hardware. 

315. A method as in claim 304 wherein said performing 
step (e) includes metering usage. 

316. A method as in claim 304 wherein said performing 
step (e) includes auditing usage. 

317. A meUiod as in claim 304 wherein said performing 
step (e) includes budgeting usage. 

318. A secure component operating system process 
including: 

receiving a component; 

receiving directions specifying use of said component to 
form a component assembly; 

authenticating said received component and/or said 
directioxus; 
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forming, using said component, said component assembly 
based at least in part on said received directions; and 

using said component assembly to perform at least one 
operation. 

319. A method comprising performing the following steps 
within a secure operating system enviromnent: 

providing code; 

providing directions specifying assembly of said code into 
an executable program; 

checking said received code and/or said assembly directors 
for vaHdily; and 

in response to occurrence of an event, assembling said code 
in accordance with said received assembly directions to form an 
assembly for execution. 

320. A method for managing at least one resource with a 
secure operating environment, said method comprising: 

securely receiving a first control from a first entity external 
to said operating environment; 

securely receiving a second control from a second entily 
external to said operating environment, said second entity being 
different from said first entity; 

securely processiag, using at least one resource, a data 
item associated with said first and second controls; and 
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secvirely applying said first and second controls to manage 
said resource for use with said data item. 

321. A method for securely managing at least one 
operation on a data item performed at least in part by an 
electronic arrangement, said method comprising: 

(a) securely delivering a first procedure to said electronic 
arrangement; 

(b) securely delivering, to said electronic arrangement, a 
second procedure separable or separate from said first procedure; 

(c) performing at least one operation on said data item, 
including using said first and second procedures in combination 
to at least in part securely manage said operation; and 

(d) securely conditioning at least one aspect of use of said 
data item based on said delivering steps (a) and (b) having 
occurred. 

322. A method as in claim 319 including performing said 
delivering step (b) at a time different firom the time said 
delivering step (a) is performed. 

323. A method as in claim 319 wherein said step (a) 
includes dehvering said first procedure firom a first source, and 
said step (b) includes delivering said second procedure firom a 
second source difierent firom said first source. 
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324. A method as in claim 319 further induding ensuring 
the integrity of said first and second procediires. 

325. A method as in claim 319 further including validating 
each of said first and second procedures. 

326. A method as in claim 319 further including 
authenticating each of said first and second procedtires. 

327. A method as in claim 319 wherein said using step (c) 
includes executing at least one of said first and second procedures 
within a tamper-resistant environment. 

328. A method as in claim 319 wherein said step (c) 
includes the step of controlling said data item with at least one of 
said first and second procediires. 

329. A method as in daim 319 further including 
establishing a relationship between at least one of said first and 
second procedures and said data item. 

330. A method as in claim 319 further including 
establishing correspondence between said data item and at least 
one of said first and second procedures. 
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331. A method as in daim 319 wherein said delivermg 
step (b) comprises delivering at least one load module encrypted 
at least in part. 

332. A method as in claim 329 wherein said delivering 
step (a) comprises delivering at least one iurther load module 
encrypted at least in part. 

333. A method as in claim 319 wherein said delivering 
step (b) comprises delivering at least one content container 
carrying at least in part secure control information. 

334. A method as in claim 319 wherein said delivering 
step (b) comprises deUvering a control method and at least one 
further method. 

335. A method as in claim 319 wherein said dehvering 
step (a) includes: 

encrypting at least a portion of said first procedure, 

communicating said at least in part encrypted jBrst 
procedure to said electronic arrangement, 

decrypting at least a portion of said first procedure at least 
in part using said electronic arrangement, and 

validating said first procedure with said electronic 
arrangement. 
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336. A method as in claim 319 wherein said delivering 
step (b) includes deHvering at least one of said first and second 
procedures within an administrative object. 

337. A method as in claim 319 wherein said delivering 
step (b) includes codelivering said second procedure in at least in 
part encrypted form with said data item. 

338. A method as in claim 319 wherein said performing 
step includes metering usage. 

339. A method as in claim 319 wherein said performing 
step includes auditing usage. 

340. A method as in claim 319 wherein said performing 
step includes budgeting usage. 

341. A method for securely managing at least one 
operation performed at least in part by a secure electronic 
appliance, comprising: 

(a) selecting an item that is protected with respect to at 
least one operation; 

(b) securely independently deUvering plural separate 
procediu^s to said electronic appHance; 
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(c) using said pliiral separate procedures in combination to 
at least in part securely manage said operation with respect to 
said selected item; and 

(d) conditioning successftd completion of said operation on 
said delivering step (b) having occurred. 

342. A method for processing based on deliverables 
comprising: 

securely delivering a first piece of code defining a first part 
of a process; 

separately, securely delivering a second piece of code 
defining a second part of said process; 

ensuring the integrity of the first and second delivered 
pieces of code; and 

performing said process based at least iq part on said first 
and second delivered code pieces. 

343. A method as in claim 340 wherein a first piece of code 
for said process at least in part controls decryptiag content. 

344. A method as ia claim 340 wherein said ensuring step 
includes vaUdating said first and second pieces of code. 
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345. A method as in claim 340 wherein said ensuring step 
includes validating said first and second pieces of code relative to 
one another. 

346. A method as in claim 340 wherein said performing 
step includes metering usage. 

347. A method as in claim 340 wherein said performing 
step includes auditing activities. 

348. A method as in claim 340 wherein said performing 
step includes budgeting usage. 

349. A method as in claim 340 wherein said performing 
step includes electronically processing content based on electronic 
controls. 

350. A method of securely controlling at least one 
protected operation with respect to a data item comprising: 

(a) suppljring at least a first control fi-om a first party; 

(b) supplying at least a second control firom a second party 
different from said first party; 

(c) securely combining said first and second controls to 
form a set of controls; 
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(d) securely associating said control set with said data 
item; and 

(e) securely controlling at least one protected operation 
with respect to said data item based on said control set. 

351. A method as in claim 348 wherein said data item is 
protected. 

352. A method as in claim 348 wherein at least one of said 
plural controls iacludes a control relating to metering at least one 
aspect of use of said protected data item. 

353. A method as in claim 348 wherein at least one of said 
plural controls include a control relatiag to budgeting at least one 
aspect of use of said protected data item. 

354. A secure method for combining data items into a 
composite data item comprising: 

(a) securely providing a first data item having at least a 
first control associated therewith; 

(b) seciu^ely providing a second data item having at least a 
second control associated therewith; 

(c) forming a composite of said first and second data 

items; 
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(d) securely combining said first and second controls into a 
composite control set; and 

(e) performing at least one operation on said composite of 
said first and second data items based at least in part on said 
composite control set. 

355. A method as in claim 352 wherein said combining 
step includes preserving each of said first and second controls in 
said composite set 

356. A method as in claim 352 wherein said performing 
step comprises governing the operation on said composite of said 
first and second data items in accordance with said first control 
and said second control . 

357. A method as in claim 352 wherein said providiog step 
includes ensuring the integrity of said association between said 
first controls and said first data item is maintained during at 
least one of transmission, storage and processing of said first 
data item. 

358. A method as in claim 352 wherein said providing step 
comprises delivering said first data item separately firom said 
first control . 
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359. A method as in daim 352 wherein said providing step 
comprises codelivering said first data item and said first control . 

360. A secure method for controlling a protected operation 
comprising: 

(a) delivering at least a first control and a second control; 

and 

(b) controlling at least one protected operation based at 
least in part on a combination of said first and second controls, 
including at least one of the following steps: 

resolving at least one conflict between said first and 
second controls based on a predefined order; 

providing an interaction with a user to form said 
combination; and 

dynamically negotiating between said first and second 
controls. 

361. A method as in claim 358 wherein said controlling 
step (b) includes controlling decryption of electronic content. 

362. A method as in claim 358 further including: 
receiving protected electronic content firom a party; and 
authenticating the identity of said party prior to using said 

received protected electronic content. 
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363. A secure method comprising: 
selecting protected data; 

extracting said protected data firom an object; 
identifying at least one control to manage at least one 
aspect of use of said extracted data; 

placing said extracted data into a further object; and 
associating said at least one control with said further 

object. 

364. A method as in claim 361 further including liTTiiting 
at least one aspect of use of said further object based on said at 
least one control. 

365. A secure method of modifying a protected object 
comprising: 

(a) providing a protected object; and 

(b) embeddiag at least one additional element into said 
protected object without unprotecting said object. 

366. A method as in claim 60 further includiag: 
associating at least one control with said object; and 
limiting usage of said element iu accordance with said 

control. 
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367. A method as in claim 363 fturther including a 
permissions record within said object. 

368. A method as in claim 364 further including at least in 
part encrypting said object. 

369. A method for managing at least one resource with a 
secure operating enviroiunent, said method comprising: 

securely receiviag a first load modiale fi:'om a first entity 
external to said operating environment; 

securely receiving a second load module fi-om a second 
entity external to said operating environment, said second entity 
being different firom said first entity; 

securely processing, using at least one resource, a data 
item associated with said fijrst and second load modules; and 

securely appl3ang said first and second load modules to 
manage said resource for use with said data item. 

370. A method for negotiating electronic contracts, 
comprising: 

receiving a first control set firom a remote site; 
providing a second control set; 

performing, within a protected processing envirozmient, an 
electronic negotiation between said first control set and said 
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second control set, including providing interaction between said 
first and second control sets; and 

producing a negotiated control set resulting firom said 
interaction between said first and second control sets. 

371. A system for supporting electronic conunerce 
including: 

means for creating a first secure control set at a first 
location; 

means for creating a second secure control set at a second 
location; 

means for securely communicating said first secure control 
set fi-om said first location to said second location; and 

means at said second location for securely integrating said 
first and second control sets to produce at least a third control set 
comprising plural elements together comprisiag an electronic 
value chain extended agreement. 

372. A system for supporting electronic commerce 
including: 

means for creating a first secure control set at a first 
location; 

means for creating a second secure control set at a second 
location; 
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means for securely commuiucatmg said first secure control 
set from said first location to said second location; and 

negotiation means at said second location for negotiating 
an electronic contract through secure execution of at least a 
portion of said first and second secure control sets. 

373. A system as in claim 370 further including means for 
controlling use by a user of protected information content based 
oil at least a portion of said first and/or second control sets* 

374. A system as in claim 370 further including means for 
charging for at least a part of said content use. 

375. A secure component-based operating system 
including: 

component retrieving means for retiieving at least one 
component; 

record retrieving means for retrieving a record that 
specifies a component assembly; 

checking means, operatively coupled to said component 
retrieving means and said record retrieving means, for checking 
said component and/or said record for validity; 

using means, coupled to said checking means, for using 
said component to form said component assembly id accordance 
with said record; and 
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performing means, coupled to said using means, for 
performing a process based at least in part on said component 
assembly. 

376. A secure component-based operating system 
including: 

a database manager that retrieves, from a secure database, 
at least one component and at least one record that specifies a 
component assembly; 

an authenticating manager that checks said component 
and/or said record for validity; 

a channel manager that uses said component to form said 
component assembly in accordance with said record; and 

an execution manager that performs a process based at 
least in part on said component assembly. 

377, A secure component operating system including: 
means for receiving a component; 

means for receiving directions specifying use of said 
component to form a component assembly; 

means, coupled to said receiving means, for authenticating 
said received component and/or said directions; 

means, coupled to said authenticating means, for forming, 
using said component, said component assembly based at least in 
part on said received directions; and 
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means, coupled to said forming means, for using said 
component assembly to perform at least one operation. 

378. A secure component operating environment 
including: 

a storage device that stores a component and directions 
specifying use of said component to form a component assembly; 

an authenticating manager that authenticates said 
component and/or said directions; 

a channel manager that forms, using said component, said 
component assembly based at least in part on said directions; and 

a channel that executes said component assembly to 
perform at least one operation. 

379. A secure operating system enviroimient comprising: 
a storage device that stores code and directions specifying 

assembly of said code into an executable program; 

a validating device that ched^ said received code and/or 
said assembly directors for validity; and 

an event-driven channel that, in response to occurrence of 
an event, assembles said code in accordance with said assembly 
directions to form an assembly for execution. 

380. A secure operating environment system for managing 
at least one resource comprising: 
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a communications arrangement that securely receives a 
first control from a fib:^t entity external to said operating 
environment, and securely receives a second control from a 
second entity external to said operating environment, said second 
entity being different from said first entity; and 

a protected processing environment, coupled to said 
communications arrangement, that: 

(a) securely processes, using at least one resource, a data 
item associated with said first and second controls, and 

(b) securely applies said first and second controls to 
manage said resource for use of said data item. 

381. A system for negotiating electronic contracts, 
comprisiag: 

a storage arrangement that stores a first control set 
received from a remote site, and stores a second control set; 

a protected processing enviroimient, coupled to said 
storage arrangement, that: 

(a) performs an electronic negotiation between said 
first control set and said second control set, 

(b) provides interaction between said first and 
second control sets, and 

(c) produces a negotiated control set resulting firom 
said interaction between said first and second control sets. 



1059 



wo 96/27155 



PCT/DS96/02303 



382. A system as in claim 379 further including means for 
electronically enforcing said negotiated control set. 

383. A system as in claim 379 further including means for 
generating an electronic contract based on said negotiated control 
set. 

384. A method for supporting electronic commerce 
including: 

creating a first secure control set at a first location; 

creating a second secure control set; 

electronically negotiating, at said location different fi-om 
said first location, an electronic contract, including the step of 
securely executing at least a portion of said first and second 
control sets. 

385. An electronic appliance comprisiag: 
a processor, and 

at least one memory device connected to said processor; 
wherein said processor includes: 
retrieving means for retrieving at least one component, 
and at least one record that specifies a component assembly, fi^om 
said memory device, 

checking means coupled to said retrieving means for 
checking said component and/or said record for validity, and 
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using means coupled to said retrieving means for using 
said component to form said component assembly in accordance 
with said record. 

386. An electronic appliance comprising: 
at least one processor; 

at least one memory device connected to said processor; 

and 

at least one input/output connection operatively coupled to 
said processor, 

wherein said processor at least in part executes a rights 
operating system to provide a secure operating environment 
within said electronic appliance. 

387. An electronic appliance as in claim 384 wherein said 
processor includes means for providing a channel, said channel 
assembling independently deliverable components into a 
component assembly and executing said component assembly. 

388. An electronic appliance as in claim 384 further 
including a secondary storage device coupled to said processor, 
said secondary storage device storing a secure database, said 
processor including means for decrypting information obtained 
from said secure database and for encxypting information to be 
written to said secure database. 
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389. An electronic appliance as in claim 384 wherein said 
processor and said memory device are disposed in a secure, 
tamper-resistance encapsulation. 

390. An electronic appliance as in claim 384 wherein said 
processor includes a hardware enciyptor/decryptor. 

391. An electronic appliance as in claim 384 wherein said 
processor includes a real time clock. 

392. An electronic appliance as in claim 384 wherein said 
processor includes a random number generator. 

393. An electronic appliance as in claim 384 wherein said 
memory device stores audit information. 

394. A method for auditing the use of at least one resource 
with a secure operating environment, said method comprising: 

securely receiving a &st control from a first entity external 
to said operating environment; 

securely receiving a second control from a second entity 
external to said operating environment, said second entity being 
different from said first entity; 

using at least one resource; 
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securely sending to said first entity in accordance with said 
first control, first audit information concerning use of said 
resource; and 

securely sending to said second entity in accordance with 
said second control, second audit information concerning use of 
said resource, said second audit information being at least in part 
different fi^om said first audit information. 

395. A method for auditing the use of at least one resource 
with a secure operating environment, said method comprising: 

securely receiving first and second control alternatives 
from an entity external to said operating environment; 

selecting one of said first and second control alternatives; 

using at least one resoiurce; 

if said first control alternative is selected by said selecting 
step, securely sending to said entity in accordance with said first 
control alternative, first audit information concerning use of said 
resource; and 

if said second control alternative is selected by said 
selecting step, securely sending to said second entity in 
accordance with said second control alternative, second audit 
information concerning use of said resource, said second audit 
information being at least in part different fi-om said first audit 
information. 
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396. A method and/or system for enabling a sale of 
protected digital information that has been previously distributed 
to users, the method or system being characterized by a secure 
element that selectively controls access to the protected digital 
information based on electronic controls associated with the 
information. 

397. A distributed, secure electronic point of sale system or 
method characterized by a secure processing element for 
selectively releasing goods and/or services in exchange for 
compensation. 

398. In a distributed digital network, an advertising 
method characterized by the steps of tracking usage of digital 
information that has associated with it one or more controls with 
respect to access to and/or usage of said infozmation; and 
targeting advertising messages based at least in part on said 
tracking. 

399. A distributed electronic advertising system 
characterized in that the system uses a distributed network of 
interoperable protected processing environments to at least in 
part deliver advertising to users. 
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400. A distributed, secure, virtual black box comprised of 
nodes located at VDE content container creators, other content 
providers, client users, and recipients of secure VDE content 
usage information) site, the nodes of said virtual black box 
including a secure subsystem having at least one secure 
hardware element such as a semiconductor element or other 
hardware module for securely executing VDE control processes, 
said secure subsystems being distributed at nodes along a 
pathway of information storage, distribution, payment, usage, 
and/or auditing. 

401. A protected processing system or method providing 
multiple currencies and/or payment arrangements for the secure 
processing and releasing of protected digital information. 

402. A distributed secure method or system characterized 
in that a user's age is xised as a criteria for electronically, 
securely releasing information and/or resources to the user. 

403. A method of renting an electronic appUance defining 
a secure processiag environment. 

404. A virtual distribution enviroimient providing any one 
or more of the following features and/or elements and/or 
combinations thereof; 
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a configurable protected^ distributed event management 
system; and/or 

a trusted, distributed transaction and storage management 
arrangement; and/or 

plxiral pathways for providing information, for control 
information, and/or for reporting; and/or 

multiple payment methods; and/or 

mtiltiple currencies; and/or 

EDI; and/or 

Electronic banking; and/or 
electronic document management; and/or 
electronic secure communication; and/or 
e-mail; and/or 

distributed asynchronous reporting; and/or 

combiaation asynchronous and online management; and/or 

privacy control by users; and/or 

testing; and/or 

using age as a class; and/or 

appliance control (renting, etc.); and/or 

telecommunications infrastructure; and/or 

games management; and/or 

extraction of content from an electronic container; and/or 
embedding of content into an electronic container; and/or 
multiple certificate to allow for breach of a key; and/or 
virtual black box; and/or 
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independence of control information from content; and/or 
multiple, separate, simultaneous control sets for one digital 

information property; and/or 

updating control information for already distributed digital 

information; and/or 

organization information management; and/or 
coupled external and organization internal chain of 

handling and control; and/or 

a content usage consequence management system 

(reporting, payment, etc., multiple directions); and/or 

a content usage reporting system providing diEFering audit 

information and/or reduction going to multiple parties holding 

rights iQ content; and/or 

an automated remote secure object creation system; and/or 
infrastructure bad^ground analysis to identify improper 

use; and/or 

seniority of control information system; and/or 

secure distribution and enforcement of rules and controls 

separately from the content they apply to; and/or 

redistribution management by controlling the rights and/or 

number of copies and or pieces etc. that may be redistributed; 

and/or 

an electronic commerce taxation system; and/or 
an electronic shopping system; and/or 
an electronic catalog system; and/or 
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a system handling electronic banking, electronic shopping, 
and electronic content usage management; and/or 

an electronic commerce multimedia system; and/or 

a distributed, secure, electronic point of sale system; and/or 

advertising; and/or 

electronics rights management; and/or 

a distributed electronic commerce system; and/or 

a distributed transaction system or environment; and/or 

a distributed event management system; and/or 

a distributed right systems. 

405. A Virtual Distribution Enviromnent substantially as 
shovni in Figure 1. 

406. An "Information Utilit3r" substantially as shown in 
Figure lA. 

407. A chain of handliag and control substantially as 
shown in Figure 1. 

408. Persistent rules and control information substantially 
as shown in Figure 2A. 

409. A method of providing different control information 
substantially as shown in Figure 1. 
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410. Rules and/or control iBformatioii substantially as 
shown in Figure 4. 

411. An object substantially as shown in Figures 5A and 

5B. 

412. A Secure Processing Unit substantially as shown in 
Figure 6. 

413. An electronic appliance substantially as shown in 
Figure 7. 

414. An electronic appliance substantially as shown in 
Figure 8. 

415. A Secure Processing Unit substantially as shown in 
Figure 9. 

416. A flights Operatiag System** ("ROS**) architecture 
substantially as shown in Figure 10. 

417. Functional relationship(s) between appHcations and 
the Rights Operating System substantially as shown in Figures 
IIA-IIC. 
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418. Components and component assemblies substantially 
as shown in Figures IID-IIJ. 

419. A Rights Operating System substantially as shown in 
FIGURE 12. 

420. A method of objection creation substantially as shown 
in Figure 12A. 

421. A 'protected processing environment" software 
architecture substantially as shown in Figure 13. 

422. A method of supporting a chcumel substantially as 
shown in Figure 15. 

423. A channel header and channel detail record 
substantially as shown in Figure 15 A. 

424. A method of creating a channel substantially as 
shown in Figure 15B. 

425. A sec\ire data base substantially as shown in Figure 

16. 

426. A logical object substantially as shown in Figure 17. 
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427. A stationaiy object substantiaUy as shown in 
FIGURE 18. 

428. A travelling object substantiaUy as shown in FIGUEE 

19. 

429. A content object substantially as shown in FIGURE 

20. 

430. An administrative object substantially as shown in 
Figure 21. 

431. A method core substantially as shown in Figure 22. 

432. A load module substantially as shown in FIGURE 

23. 

. 433. A User Data Element (UDE) and/or Method Data 
Element (MDE) substantiaUy as shown in FIGURE 24. 

434. Map meters substantiaUy as shown in FIGURES 
25A-25C. 

435. A permissions record (PERC) substantiaUy as shown 
in FIGURE 26. 
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436. A permissions record (PERC) substantially as 
shown in FIGURES 26A and 26B. 

437. A shipping table substantially as shown in FIGURE 

27. 

438. A receiving table substantially as shown in FIGURE 

28. 

439. An administrative event log substantially as shown 
in FIGURE 29. 

440. A method of interrelating and using an object 
registration table, a subject table and a user rights table 
substantially as shown in Figure 30. 

441. A method of using a site record table and a group 
record table to track portions of a secure database substantially 
as shown in FIGURE 34. 

442. A process for updating a secure database 
substantially as shown in FIGURE 35. 

443. A process of inserting new elements into a secure 
database substantially as shown in FIGURE 36. 
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444. A process of accessing elements in a secure database 
substantiaBy as shown in FIGURE 37. 

445. A process of protecting a secure database element 
substantially as shown in FIGURE 38. 

446. A process of backing up a secure database 
substantially as shown in FIGURE 39. 

447. A process of recovering a secure database 
substantially as shown in FIGURE 40. 

448. A process of enabling performing reciprocal methods 
to provide a chain of handling and control substantially as shown 
in FIGURES 41A-41D. 

449. A "reciprocal"' BUDGET method substantially as 
shown in FIGURES 42A-42D. 

450. A reciprocol audit method substantially as shown in 
FIGURES 44A.44C. 

451. A method for controlling release of content or other 
method substantially as shown in any of FIGURES 45-48. 
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452. An event method substantially as shown in 
FIGURES 53A-53B. 

453. A billing method substantially as shown in FIGURE 

53C. 

454. An extract method substantially as shown in 
FIGURE 57A. 

455. An embed method substantially as shown in FIGURE 

57A. 

456. An obscure method substantially as shown in 
FIGURE 58A. 

457. A fingerprint method substantially as shown in 
FIGURE 58B. 

458. A fingerprint method substantially as shown in 
FIGURE 58C. 

459. A meter method substantially as shown in FIGURE 

6. 
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460. A key "convolution" process substantially as shown in 
FIGURE 62. 

461. A process of generating different keys using a key 
convolution process to determine a 'ixue" key substantially as 
shown in FIGURE 63. 

462. A process of initializing protected processing 
environment keys substantially as shown in FIGURES 64 and/or 
65. 

463. A process for decrypting information contained within 
stationary objects substantially as shown ia FIGURE 66. 

464. A process for decrypting information contained within 
traveling objects substantiaUy as shown in FIGURE 67. 

465. A process for initializing a protected processing 
environment substantially as shown in FIGURE 68. 

466. A process of downloadiag firmware into a protected 
processing enviroimient substantially as shown in FIGURE 69. 
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467. Multiple VDE electronic appliances connected together with 
a network or other communications means substantially as 
shown in FIGURE 70. 

468 A portable VDE electronic appliance substantially as 
shown in FIGURE 71. 

469. "Pop-up*" displays that may be generated by the user 
notification and exception interface substantially as shown in 
Figures 72A-72D. 

470. A smart object substantially as shown in FIGURE 73. 

471. A method of processing smart objects substantially as 
shown in FIGURE 74. 

472. Electronic negotiation substantially as shown in any 
of FIGURES 75A-75D. 

473. An electronic agreement substantially as shown in 
FIGURES 75E-75F. 

474. Electronic negotiation processes substantially as 
shown in any of FIGURES 76A-76B. 
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475. A chain of handling and control substantially as 
shown in FIGURE 77. 

476. A VDE "repository" substantially as shown in 
FIGURE 78. 

477. A process of using a chain of handling and control to 
evolve and transform VDE managed content and control 
information substantially as shown in any or all of FIGURES 
79-83. 

478. A chain of handling and control involving several 
categories of VDE participants substantially as shown in 
FIGURE 84. 

479. A chain of distribution and handling within an 
organization substantially as shown in FIGURE 85. 

480. A chain of handling and control substantially as 
shown in Figures 86 and/or 86A. 

481. A virtual silicon container model substantially as 
shown in Figure 87. 



1077 



wo 96/27155 



PCT/US96/02303 



482. A method ofbusiness automation characterized by 
the steps of (a) creatings one or more secure containers including 
enciypted accounting and/or other administrative information 
content, (b) associating control information with one or more of 
such one or more secure containers including a description of (i) 
the one or more parties whom may use one or more of the one or 
more containers, and (ii) the operations that will be performed for 
one or more parties with respect to such accoimting and/or other 
administrative information, (c) electronically deUvering one or 
more of such one or more containers such to one or more parties, 
and (d) enabling through the use of a protected processing 
environment the enforcement of at least a portion of such control 
information. 

483. A business automation system characterized by: 
means for providing at least one secure container including 

administrative information content having control information 
associated therewith, and 

a protected processing environment for enforcing, at least 
in part, the control information. 

484. A business automation system comprising (a) 
distributed, interoperable protected processing environment 
installations, (b) secure containers for distribution of digital 
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informatioii, (c) control information supporting the automation of 
chain of handling and control functions. 

485. A method of business automation characterized by 
the steps of providing interoperable protected processing 
environment nodes to plural parties, communicating first 
encrypted digital information from a first party to a second party, 
communicating second encrypted digital information including at 
least a portion of said first communicated digital information 
and/or information related to the use of said first digital 
information, to a third party different fi-om said first or second 
parties, wherein use of said second encrypted digital information 
is regulated, at least in part, by an interoperable protected 
processing environment available to said third party. 

486. A business automation system characterized by: 
plural protected processing environment nodes, 

means for communicating digital information between the 
nodes, and 

wherein at least one of the nodes includes means for 
regulating the use of said communicated digital information. 

487. A method for chain of handling and control 
characterized by the steps of (a) a first party placing protected 
digital information into a first software container and stipulating 
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rules and controls governing use of at least a portion of said 
digital information, (b) providing said software container to a 
second party, wherein said second party places said software 
container into a further software container and stipulates rules 
and controls for at least in part managing use of at least a portion 
of said digital information and/or said first software container by 
a third parly. 

488. A chain of handling and control system characterized 

by: 

means for placing digital information into a first software 
container and for stipulating rules and/or controls governing use 
of at least a portion of said digital information, and 

means for placing said software container into a further 
software container and for stipulating further rules and/or 
controls for at least in part managing use of at least a portion of 
said digital information and/or said first software container. 

489. A system for chain of handling and control including 
(a) a first container containing at least in part protected digital 
information, (b) at least in part protected control information 
stiptdated by a first party establishing conditions for use of at 
least a portion of said digital content, (c) a second container 
different from said first container, said second container 
containing said first container, (d) control information stipulated 
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independently by a second party for at least in part setting 
conditions for managing use of the contents of said second 
container. 

490. A system for electronic advertising including: (a) 
means to provide digital information to users for their use, (b) 
means to provide advertisiag content to said users in 
combiaation with said digital information, (c) means to audit use 
of said digital information, (d) means to securely acquire usage 
information regarding use of advertising content, (e) means to 
securely report information based upon said advertising content 
usage information, (f) compensating at least one content provider 
at least in part based upon use of said advertising content. 

491. A method for electronic advertising characterized by 
the steps of (a) placing digital information into a container, (b) 
associating advertising information with at least a portion of said 
digital information, (c) securely providing said container to a 
container user, (d) monitoring user viewing of advertising 
information, and (d) receiving payment firom an advertiser, 
wherein said payment is related to user viewing of said 
advertising information. 

492. A system for electronic advertising involving (a) 
means to containerize digital information including both content 
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and advertising information, (b) means to monitor viewing of at 
least a portion of said advertising information, (c) means to 
charge for user viewing of at least a portion of said advertising 
information, (d) means to securely communicate information 
based upon said viewing in a secure container, and (e) control 
information related to said containerized digital information for 
managing the communication of said information based upon 
said viewing. 

493. A method for electronic advertising characterized by 
the steps of (a) containerizing digital information including both 
content and advertising information, (b) monitoring user viewing 
of at least a portion of said advertising information, (c) charging 
for user viewing of at least a portion of said advertising 
information, (d) securely communicating information based upon 
said viewing in a secure container, and (e) at least in part 
managing, through the use of control information related to said 
advertising information, the communication of information based 
upon said viewing. 

494. A method of clearing transaction information 
characteiized by the steps of (a) securely distributing digital 
information to a first user of an interoperable protected 
processing enviroimient, (b) securely distributing further digital 
information to a user of an interoperable protected processing 
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environment different firom said at first user (c) receiving 
information related to usage of said digital information, (d) 
receiving information related to usage of said further digital 
information, and (e) processing information received according to 
steps (c) and (d) to perform at least one of (I) an administrative, 
or (II) an analysis, function. 

495. A system for clearing transaction information 
including (a) a first container containing at least in part 
protected digital information and associated control information, 

(b) a second secure container containing fiirther at least in part 
protected digital information and associated control information, 

(c) means to distribute said first and second containers to users, 

(d) communication means for communicating information at least 
in part derived firom user usage of said first container digital 
information, (e) communication means for communicating 
information at least in part derived fi-om user usage of said 
second container digital information, (f) processing means at a 
clearinghouse site for receiving the information communicated 
through steps (d) and (e), wherein said processing means perform 
administrative and/or analysis processing of at least a portion of 
said commimicated information. 

496. A method for clearinghouse analysis characterized by 
the steps of: (a) enabling plural independent clearinghouses for 



1083 



wo 96/27155 



PCTAIS96/02303 



administrating and/or analyzing usage of distributed, at least in 
part protected, digital information, (b) providing interoperable 
protected processing environments to plural, independent users, 
and (c) enabling a user to select a clearinghouse for use with an 
interoperable protected processing environment 

497. A system for clearinghouse analysis including (a) 
plural independent clearinghouses for administrating and/or 
analyzing usage of distributed, at least in part protected, digital 
information, (b) at least one interoperable protected processing 
enviromnents at each of plural user locations, (c) selecting means 
for enabling a user to select one of said pltiral independent 
clearinghouse to perform payment and/or analysis functions 
related to the use of at least a portion of said at least in part 
protected, digital information. 

498. A method of electronic advertising characterized by 
the steps of 

creating one or more electronic advertisements, creating 
one or more secure containers including at least a portion of such 
advertisements, 

associating control information with such advertisements 
iacluding control information describing at least one of: (a) 
reporting at least some advertisement usage information to one 
or more content providers, advertisers and/or agents, (b) 



1084 



wo 96/27155 



PCTAJS96y02303 



providing one or more credits to a user based on such user^s 
viewing and/or other usage of such advertisements, (c ) reporting 
advertisement usage information to one or more market analysts, 
(d) providing a user with ordering information for and/or means 
for ordering one or more products and/or services, and/or (e) 
providing one or more credits to a content provider based on one 
or more users* viewing and/or other usage of such 
advertisements, 

providiag such containers and such control information to 
one or more users, 

enabling such users to use such containers at least in part 
in accordance with such control information. 

499, A system for electronic advertising including (a) 
means to provide digital information to users for their use, (b) 
means to provide advertising content to said users in 
combination with said digital information, (c ) means to audit use 
of said digital information, (d) means to acquire usage 
information regarding use of advertising content, (e) means to 
securely report information based upon said advertising content 
usage information, and (f) compensating at least one content 
provider at least in part based upon use of such advertising 
content. 
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500. A system for chain of handling and control indudm 
(a) a first container containing at least in part protected digital 
information, (b) at least in part protected control information 
stipulated by a first party establishing condition for use of at 
least a portion of said d^tal content, (c ) a second container 
different firom said first container, said second container 
containing said first container, and (d) control information 
stipulated independently by a second party for at least in part 
setting conditions for managing use of the contents of said second 
container. 

501. A method of operating a clearinghouse characterized 
by the steps of receiving usage information related at least in 
part to use of secure containers fi^om plxiral parties, determining 
pa}rments due to one or more parties based at least in part on 
such usage information, performing and/or causing to be 
performed transactions resulting in payments to such parties 
based at least in part on such determinations. 

502. An electronic clearinghouse comprising: 

means for receiving usage information related at least in 
part to use of secure containers fi*om plural parties, 

means for determining payments due to one or more 
parties based at least in part on such usage information, 
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means for performijig and/or catising to be performed 
traosactioiis resultixig in payments to such parties based at least 
in part on such determinations. 

503. A method of operating a clearinghouse characterized 
by the steps of receiving usage information related at least in 
part to use of secure containers from plural parties, determining 
reports of usage for one or more parties based at least in part on 
such usage information, creating and/or causing to be created 
reports of usage based at least in part on such determination, 
delivering at least one of such reports to at least one of such 
parties. 

504. A method of operating a clearinghouse characterized 
by the steps of receiving permissions and/or other control 
information from one or more content providers including 
information that enables dehvery of at least one right in at least 
one secure container to other parties, receiving requests from 
plural parties for one or more rights in one or more secure 
containers, dehvering permissions and/or other control 
information to such parties based at least in part on such 
requests. 

505. A method of operating a clearinghouse characterized 
by the steps of receiving information from one or more parties 
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establishing a party's identity information, creating one or more 
electronic representations of at least a portion of such identity 
information for use in enabling and/or withholding at least one 
right in at least one secure container, performing an operation to 
certify such electronic representations, deHvering such electronic 
representations to such party. 

506. A method of operating a clearinghouse characterized 
by the steps of receiving a request for credit from a party for use 
with secxire containers, determining an amount of credit based at 
least in part on such request, creating control information related 
to such an amoimt, delivering such control information to such 
user, receiving usage information related to use of such credit, 
performing and/or causing to be performed at least one 
transaction associated with collecting payment from such user. 

507. A method for contributing secure control information 
with respect to an electronic value chain wherein control 
information is contributed by a party not directly participating in 
said value chain, comprising steps of: aggregating said 
contributed control information with control information 
associated with digital information stipulated by one or more 
parties in an electronic value chain, said aggregate control 
information at least in part managing conditions related to the 
use of at least a portion of said digital information. 



1088 



V/096miSS 



PCT/US96/02303 



508. A method for entering the payment of taxes 
associated with commercial events wherein secure control 
information for automatically governing tax payments for said 
commercial events is contributed by a party comprising steps of: 
aggregating said secure control information with control 
information that has been contributed by a separate party and 
controlling at least one condition for use of digital information. 

509. A method for general purpose reusable electronic 
commerce arrangement characterized by the steps of: 

(a) providing component structures, modular methods that 
can be configured together to comprise event controlled 

Ot)) providing integrateable protected processing 
environments to plural independent users; 

(c) employing secure communications means for 
communicating digital control information between integrateable 
protected processing environments; and 

(d) enabling database managers operably connected to 
said processing environments for storing at least a portion of said 
provided component modular methods. 

510. A system for general purpose, reusable electronic 
commerce including: 

(a) component modular methods configured together to 
comprise event control structures; 
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(b) at least one interoperable processing environment at 
each of plural independent xiser locations; 

(c) secure communications means for communicating 
digital control information between interoperable protected 
processing environments; and 

(d) secured database managers operably connected to said 
protected processing environments for storing at least a portion 
of said component modular methods. 

511. A general purpose electronic commerce credit system 
including: 

(a) a secure interoperable protected processing 
environment; 

(b) general purpose credit control information for 
providing credit for user usage of at least in part protected digital 
information; and 

(c) at least in part protected digital information related 
control information for providing necessary information for 
employing credit through the use, at least in part, of said general 
purpose credit control information. 

512. A method for enabling a general purpose electronic 
commerce credit system including: 

(a) providing secure interoperable protected processing 
environments; 
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(b) supplying general pttrpose credit control information 
for providing credit for user usage of at least in part protected 
digital information; and 

(c) providing, at least in part, protected digital information 
related control information for providing necessary information 
for employing credit through the use, at least in part, of said 
general purpose credit control information. 

513. A document management system comprising one or 
more electronic appliances containing one or more SPUs and one 
or more secure databases operatively connected to at least one of 
the SPUs. 

514. An electronic contract system comprising one or more 
electronic appliances containing one or more SPUs and one or 
more secure databases operatively connected to at least one of 
the SPUs. 

515. An electronic appliance containing at least one SPU 
and at least one secure database operatively connected to at least 
one of the SPU(s). 

516. An electronic appliance containing one or more CPUs 
where at least one of the CPUs is integrated with at least one 
SPU. 
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517. Ab electronic appliance containing one or more video 
controllers where at least one of the video controllers is 
integrated with at least one SPU. 

518. An electronic appliance containing one or more 
network commtinications means where at least one of the 
network communications means is integrated with at least one 
SPU. 

519. An electronic appKance containing one or more 
modems where at least one of the modems is integrated with at 
least one SPU. 

520. An electronic appliance containing one or more CD- 
ROM devices where at least one of the CD-ROM devices is 
integrated with at least one SPU. 

521. An electronic appliance containing one or more set- 
top controllers where at least one of the set-top controllers is 
integrated with at least one SPU. 

522. An electronic appliance containing one or more game 
systems where at least one of the game systems is integrated 
with at least one SPU. 
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523. An integrated circuit supporting multiple encryption 
algorithms comprising at least one microprocessor, memoiy, 
iniiut/output means, at least one circuit for encrypting and/or 
decrypting information and one or more software programs for 
use with at least one of the microprocessors to perform encryption 
and/or decryption functions. 

524. An integrated circuit comprising at least one 
microprocessor, memory, at least one real time clock, at least one 
random number generator, at least one circuit for encrypting 
and/or decrypting information and independently delivered 
and/or independently deliverable certified software. 

525. An integrated circuit comprising at least one 
microprocessor, memory, input/output means, a tamper resistant 
barrier and at least a portion of a Rights Operating System. 

526. An integrated circuit comprising at least one 
microprocessor, memory, input/output means, at least one real 
time clock, a tamper resistant barrier and means for recording 
interruption of power to at least one of the real time clocks. 
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